Original source: 1912212.eth, Foresight News
In recent years, the rapid development of the DeFi sector has attracted countless investors and developers, but its characteristics of high risk and high return have also frequently led to significant issues, such as the recurring incidents of hacker attacks that steal funds, which have troubled many on-chain financial managers and arbitrageurs. On June 27, the DeFi protocol Resupply suffered a major security breach that resulted in the theft of $9.6 million, an event that became widely known in the community due to the advocacy actions initiated by OneKey founder Yishi Wang.
As one of the main investors in Resupply, Yishi publicly criticized the project's missteps and called for accountability from the relevant parties. His actions sparked widespread discussion within the community, even leading to a heated confrontation with Curve founder Michael Egorov.
Contract Vulnerability Leads to User Funds Being Completely Emptied
Resupply is an emerging DeFi protocol aimed at attracting users and investors through innovative liquidity management and yield strategies. DeFi protocols typically achieve automated management of funds through smart contracts, allowing users to deposit crypto assets for returns. However, the complexity of such protocols and code vulnerabilities often make them targets for hacker attacks. Since its launch, Resupply quickly attracted significant funds and attention due to its high yield promises and collaborations with well-known DeFi projects like Curve, Convex, and Yearn, managing hundreds of millions in assets before the theft occurred.
Yishi Wang, founder of the crypto wallet company OneKey, is one of the top three investors in Resupply. According to his public statements on X, he personally invested millions of dollars into Resupply, and this attack not only caused significant financial losses but also brought immense psychological pressure.
According to Yishi's analysis, the root cause of the incident was the Resupply team's failure to destroy the initial shares when deploying a new vault, leading to an "inflationary minting vulnerability" in the ERC-4626 standard within the smart contract. This vulnerability allowed attackers to mint an unlimited number of tokens at zero cost, thereby emptying the assets in the fund pool.
Yishi commented, "This is not a black swan event; it is a man-made disaster, a serious oversight at the development level." He pointed out that this vulnerability was not exploited by external hackers using complex techniques, but rather a basic error in the team's code deployment. Such mistakes are particularly fatal in the DeFi space, as the immutability of smart contracts means that once a vulnerability is exploited, losses are nearly impossible to recover.
Silence, Gagging, and Attempting to Shift Losses to Investors
Blockchain hacking incidents are constantly occurring, with numerous public chains, DeFi projects, and exchanges experiencing terrifying moments of being hacked in recent years. We often find that their official teams respond promptly and immediately reach out to the hackers. However, the handling of the situation by the Resupply team has been perplexing. They not only remained silent in response to the hackers but have even "not yet conducted any technical tracing or white-hat bounty work."
Yishi revealed that the team did not immediately launch an investigation or report to the police but attempted to make investors bear the losses through an insurance pool, while also blocking the speech of dissenters on the official Discord server. As a major investor, Yishi was unexpectedly silenced after raising reasonable doubts, an action that left him feeling "shocked and angry."
The latest proposal indicates that the project party will use the insurance pool to cover bad debts.
Faced with the Resupply team's inaction and their attitude of suppressing dissent, Yishi chose to publicly advocate for his rights on the X platform. He published a lengthy article detailing the background and consequences of the incident, specifically criticizing the Resupply team's negligence. He emphasized that the design of the insurance pool was meant to address unpredictable black swan events, not to compensate for the development team's basic errors. He questioned, "If development mistakes can be paid for by users, then this is essentially a false insurance scheme that robs the rich to give to the poor."
Yishi's advocacy actions not only targeted the Resupply team but also extended to well-known DeFi protocols that collaborated with the project, such as Curve, Convex, and Yearn. He pointed out that these projects gained exposure and profits by providing liquidity support and endorsement to Resupply, and therefore should not remain aloof after the incident. In particular, Curve's stablecoin crvUSD played an important role in Resupply's fund pool. Yishi called on the developers and treasuries of these projects to jointly bear compensation responsibilities to make up for the investors' losses.
According to public information, related protocol project parties have been stolen from an average of $10 million annually in recent years, raising suspicions within the community about their self-dealing.
In 2021, Yearn Finance lost approximately $11 million due to a contract logic vulnerability, where attackers exploited the insufficient protection of the protocol's liquidity to conduct a flash loan attack and manipulate the fund pool for arbitrage. In March 2023, Yearn Finance lost about $1.4 million due to the impact of Euler Finance being hacked, as Yearn Finance had a financial connection with it, leading to indirect losses, although its own contract had no vulnerabilities. On April 13, 2023, Yearn Finance lost about $11.6 million due to an early iearn yUSDT contract configuration error, where the contract pointed to the wrong asset pool (USDC instead of USDT), allowing attackers to exploit this configuration flaw to mint a large amount of yUSDT and cash out. On March 28, 2024, Prisma Finance lost about $10 million due to permission management and business logic vulnerabilities in the contract, where attackers deployed malicious contracts and stole funds through multiple operations, involving function permission issues and contract call defects. On June 26, 2025, Convex Finance (Resupply's sub-DAO) lost about $10 million due to business logic vulnerabilities in the Resupply sub-DAO contract, where attackers exploited contract flaws to illegally transfer funds, specifically due to insufficient contract permissions or fund flow verification.
Additionally, Yishi criticized the Resupply team's communication attitude. He stated that the team not only lacked transparency but also mocked and banned investors who raised objections, which he deemed a serious betrayal of community trust. He called on Resupply to formulate a fair solution to return losses caused by technical errors to users.
Soon, Yishi began to receive private message attacks from anonymous individuals, who posted discriminatory mimicking phrases like "ching chong," which sparked widespread dissatisfaction within the Chinese-speaking community.
Conflict Escalates: Confrontation with Curve's Founder
Yishi's public advocacy quickly led to a direct conflict with Curve founder Michael Egorov. Prior to this, Curve Finance's official statement regarding the security incident stated, "Although Resupply was not developed by Curve developers, the creators of Resupply are capable and experienced, and we believe they will do their utmost to resolve this issue."
However, the incident did not end there.
According to Yishi, Michael privately expressed intentions to sue him, claiming that his statements "smeared Curve's reputation." This news sparked intense debate within the community on X, with many believing that Curve, as a partner of Resupply, should bear some responsibility rather than suppress criticism through legal threats.
Yishi responded on X, "Michael said he wants to sue me for smearing Curve's reputation. What kind of behavior is this? Honest people deserve to be bullied, right?" He stated that while he respects Michael's efforts to mediate the situation, he would not give up on holding them accountable.
As the incident escalated, some users began to associate Yishi's personal advocacy actions with the OneKey brand, even accusing OneKey of "organizing a public opinion attack" against Resupply. In response to these accusations, OneKey issued a stern statement on June 29 on the X platform, clarifying that the company had never participated in or manipulated any public opinion attacks, and that Yishi's advocacy actions were his personal investment behavior, unrelated to OneKey's business.
Summary
The Resupply incident is not only a microcosm of Yishi's personal advocacy but also reflects many issues exposed in the rapid development of the DeFi industry. First, the security of smart contracts remains a core challenge for DeFi projects. Although Resupply's vulnerability may seem basic, similar incidents are not uncommon in the DeFi space. In 2024, global losses in cryptocurrency due to hacking and fraud have exceeded $2.2 billion, highlighting the urgent need to improve industry security standards.
Secondly, the Resupply team's handling of the situation exposed deficiencies in crisis management within DeFi projects. Lack of transparency, suppression of dissent, and shirking of responsibility not only damage investor trust but could also have devastating impacts on the long-term development of the project. Yishi's advocacy actions remind the community that investors have the right to demand accountability from project parties for technical errors, rather than shifting losses onto users.
The incident also sparked discussions about the responsibilities of partners within the DeFi ecosystem. Projects like Curve and Convex have been drawn into controversy due to their collaboration with Resupply, indicating that the interconnectedness of DeFi projects is both an advantage and a potential amplifier of risks. In the future, clarifying responsibility distribution in ecological cooperation will be an important issue that the DeFi industry needs to address.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
