Revisiting the $9.6 million theft of DeFi protocol Resupply

Author: Fairy, ChainCatcher

Editor: TB,ChainCatcher

The first reaction after the incident often reveals the true color of a team.

The decentralized stablecoin protocol Resupply was stolen for $9.6 million. The seemingly "routine" DeFi security incident deteriorated sharply in just a few days: the project party did not shout, express, or offer a reward, and the founder of investor OneKey publicly defended his rights. The incident quickly evolved from a technical issue to a conflict of values, and affected the Curve ecosystem behind it.

This is no longer a simple theft, but a chain collapse that got out of control and implicated everything under the pressure of technical errors and governance arrogance.

Event Review: From Security Accident to Public Relations Disaster

On June 26, Resupply was attacked and lost about $9.5 million. After the incident, the team only issued a brief tweet to explain the situation, but did not track down the hacker or issue a bounty, which aroused community doubts.

At the same time, users reported that they were banned and removed after raising questions on Discord, and the community atmosphere deteriorated rapidly. Yishi, the founder of OneKey, spoke out publicly, revealing that he, as one of the three largest investors in Resupply, had lost millions of dollars, and pointed out that the project was forcibly allocating bad debts to depositors in the insurance pool, that is, letting ordinary pledge users pay for technical errors.

On June 28, Resupply released an attack analysis report, saying that the vulnerability only affected specific token trading pairs, and the rest of the market was operating normally. It also proposed a governance proposal to use 6 million reUSD from the insurance pool to cover bad debts, and the remaining part was planned to be gradually repaid through future protocol income. However, this move did not quell the "anger".

On June 29, Yishi spoke out again, criticizing the team for not pursuing accountability at the first time, but "taking money directly from users' pockets", and even extending the unlocking period and restricting withdrawals. What's more serious is that the community is full of insults, racial discrimination and other remarks.

In addition, DeFi researcher @22333D released multiple videos, criticizing the team for their irresponsibility after a low-level contract error occurred. SlowMist founder Yu Xian also publicly stated that it is recommended to include it in the TOP 10 observation area of ​​the worst safety accident handling list in history.

In the end, this safety accident evolved into a multiple crisis covering "negligence of governance + suppression of public opinion + community tearing".

The "Security Black History" of the Team Behind Resupply

In this attack, hackers took advantage of the price manipulation vulnerability in the ResupplyPair contract, combined with the ERC4626 inflation vulnerability, and lent about $10 million in reUSD through 1 wei of collateral. However, this attack method is not complicated. Crypto KOL Zishi even called it the "lowest common" error, showing the team's serious negligence in the design of the core contract.

What is more worrying is that this is not the first time that the development team behind Resupply has been caught up in a security crisis.

As early as March 2024, Prisma Finance, the predecessor of Resupply, lost more than $11.6 million due to hacker attacks. Although the attacker claimed to be a white hat and left messages on the chain many times. But the incident ended in vain. It was not until 9 months later that the Prisma project was officially closed and Resupply was launched as a "successor".

In addition, according to community users, over the past few years, the team's associated projects have suffered an average of nearly 10 million US dollars in capital losses each year. (Note: Resupply is the subDAO protocol of Convex Finance and Yearnfi.) This abnormal "accident frequency" has caused the community to begin to question whether the team behind it is suspected of embezzlement.

Image source: @22333D

The cracks of trust spreading: Curve ecology

As the public opinion about Resupply fermented, Curve was also drawn into the vortex of this trust crisis. Although the two are not from the same team, they have a close relationship. The Resupply protocol is built on the Curve ecosystem and relies on its liquidity pool and mechanism support. In the early days of its launch, Curve officials also endorsed Resupply.

Because of this, many users choose to stake on Resupply and participate in the insurance pool based on their trust in Curve. From the results, Resupply's growth has indeed fed back to Curve.

Crypto KOL Crypto Wei said that after the Luna crash in 22 years, Curve's TVL has plummeted, and has continued to decline after many events including Michael buying a house, being hacked twice, stETH's delisting, and FTX's collapse.

After Resupply was launched in March this year, it injected vitality into Curve, but now that the "life-extending plate" is embroiled in controversy, it has also brought up its old accounts.

In community opinion, some users began to claim that they would boycott the Curve ecological project; others believed that Curve should not be responsible for the technical errors of ecological projects. But more users were disappointed with the subsequent response of the Curve team and founder Michael: they were eager to clarify their relationship with Resupply, and were more inclined to defend the Resupply project in public speeches.

In addition, after OneKey founder Yishi publicly defended his rights, Michael not only claimed that "he would no longer use OneKey products in the future", but also stated that he would sue Yishi for "damaging Curve's reputation".

The collapse of trust in Resupply is not only due to code errors, but also like a mirror, reflecting the moral bottom line of the project party exposed in the crisis, and also reveals the lack of responsibility, transparency and responsibility in the expansion of the ecosystem.

The aftermath of the accident will eventually subside, but the rift in trust may never be bridged.