Author: Fairy, ChainCatcher
Editor: TB, ChainCatcher
The first reaction after an incident often reveals the true nature of a team.
The decentralized stablecoin protocol Resupply was hacked for $9.6 million. What initially seemed like a "routine" DeFi security incident rapidly escalated within a few days: the project team remained silent, did not issue a statement, and did not offer a bounty, while OneKey's founder publicly defended investors. The incident quickly transformed from a technical issue into a conflict of values, affecting the underlying Curve ecosystem.
This is no longer a simple theft incident, but a chain collapse that spiraled out of control under the dual pressures of technical errors and governance arrogance.
Incident Review: From Security Incident to PR Disaster
On June 26, Resupply was attacked, resulting in a loss of approximately $9.5 million. After the incident, the team only released a brief tweet explaining the situation, but took no action to track the hacker or issue a bounty, leading to community confusion.
At the same time, users reported being muted and removed after questioning in Discord, causing the community atmosphere to deteriorate rapidly. OneKey's founder Yishi publicly spoke out, revealing that as one of Resupply's three major investors, he lost millions of dollars and pointed out that the project team was forcing the bad debts onto the insurance pool depositors, essentially making ordinary stakers pay for the technical mistakes.
On June 28, Resupply released an attack analysis report, stating that the vulnerability only affected specific token trading pairs, while the rest of the market was operating normally. They proposed a governance plan to use 6 million reUSD from the insurance pool to cover the bad debts, with the remaining portion planned to be gradually repaid through future protocol revenues. However, this move did not quell the "anger."
On June 29, Yishi spoke out again, criticizing the team for not holding anyone accountable immediately, but instead "directly taking money from users," even extending the unlocking period and restricting withdrawals. More seriously, the community was filled with insults, expulsions, and racist remarks.
In addition, DeFi researcher @22333D released multiple videos harshly criticizing the team for their lack of accountability after a basic contract error. The founder of Slow Mist, Yu Xian, also publicly stated that he suggested including this incident in the top 10 worst security incident handling cases in history.
Ultimately, this security incident evolved into a multi-faceted crisis encompassing "negligent governance + public opinion suppression + community division."
The "Security Black History" of the Team Behind Resupply
In this attack, the hacker exploited a price manipulation vulnerability in the ResupplyPair contract, combined with an ERC4626 inflation vulnerability, to borrow approximately $10 million in reUSD with just 1 wei of collateral. However, this attack method is not complex; crypto KOL Zishi even referred to it as a "very basic common" error, highlighting the team's serious negligence in core contract design.
What is even more concerning is that the development team behind Resupply is not new to security controversies.
As early as March 2024, Resupply's predecessor, Prisma Finance, suffered a loss of over $11.6 million due to a hacker attack. Although the attacker claimed to be a white hat and left multiple messages on-chain, the incident ultimately ended without resolution, and nine months later, the Prisma project was officially shut down, leading to the launch of Resupply as its "successor."
Additionally, according to community users' compilations, the team has been associated with projects that have averaged nearly $10 million in losses each year over the past few years. (Note: Resupply is a subDAO protocol of Convex Finance and Yearnfi.) This unusual "incident frequency" has led the community to question whether the team is involved in self-theft.
Image source: @22333D
The Cracks of Trust Spreading: The Curve Ecosystem
As the public sentiment around Resupply intensified, Curve also became embroiled in this trust crisis. Although the two are not from the same team, their relationship is close. The Resupply protocol is built on the Curve ecosystem, relying on its liquidity pools and mechanisms for support. In the early stages, Curve's official team even endorsed Resupply.
Because of this, many users, based on their trust in Curve, chose to stake and participate in the insurance pool on Resupply. As a result, Resupply's growth indeed fed back into Curve.
Crypto KOL Crypto Weituo stated that after the Luna crash in 2022, Curve's TVL plummeted dramatically, and it continued to decline after multiple incidents, including Michael's house purchase, two hacks, stETH's decoupling, and the FTX collapse.
After Resupply launched in March this year, it injected vitality into Curve, but now the "lifeline" has become controversial, bringing its old debts back into the spotlight.
In community discussions, some users began to claim they would boycott Curve ecosystem projects; others argued that Curve should not be held accountable for the technical mistakes of ecosystem projects. However, more users expressed disappointment with the Curve team and founder Michael's response afterward: they were eager to clarify their relationship with Resupply and seemed more inclined to defend the Resupply project team in public statements.
Furthermore, after OneKey's founder Yishi publicly defended investors, Michael not only claimed that he "would no longer use OneKey products" but also stated that he would sue Yishi for "damaging Curve's reputation."
The collapse of trust in Resupply stems not only from code errors but also serves as a mirror reflecting the moral bottom line exposed by the project team in a crisis, revealing the ecosystem's lack of responsibility, transparency, and accountability during its expansion.
The aftermath of the incident will eventually subside, but the cracks in trust may never be fully repaired.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
