Original | Odaily Planet Daily (@OdailyChina)
On June 26, the decentralized stablecoin protocol Resupply reported that its wstUSR market was hacked, resulting in the transfer of approximately $9.5 million in assets.
Such incidents are not uncommon in the crypto world, and the amount stolen from Resupply is not particularly notable, but it has sparked controversy within the community. Particularly, the project's response measures did not involve recovering the stolen funds, holding the hackers accountable, reporting to the police, or offering a bounty; instead, they first used community assets to fill the gap. Consequently, community outrage intensified, with figures like OneKey founder Yishi and Slow Mist founder Yuxian speaking out against the project team, and the governance discourse has escalated to accusations of "racial discrimination."
Odaily Planet Daily will start from the beginning of the incident, sorting out the root causes of the conflict and clarifying the positions of all parties involved.
1. Attack Process: Borrowing Millions with "1 Wei Collateral"
Resupply is a decentralized stablecoin protocol built around crvUSD, heavily relying on the trading pool structure, interest rate model, and asset linkage logic of the Curve ecosystem. By attracting liquidity through trading pairs like crvUSD-wstUSR, the project quickly accumulated tens of millions of dollars in locked assets.
From code usage, governance logic, to treasury access methods, Resupply appears to be an "independent high-rise," but is actually deeply embedded between the two major DeFi infrastructures, Curve and Convex. It is widely believed that there is a collaborative development resource relationship with Convex, and rumors have circulated that it was "secretly incubated" by the core development team.
This relationship became the starting point of controversy after the incident.
On June 26, security company BlockSec first discovered abnormal fund flows in Resupply, estimating initial losses at $9.5 million.
The attack path was subsequently dissected: the attacker exploited a structural design flaw in Resupply's deployment of the wstUSR treasury. Specifically, by injecting carefully constructed parameters into the Controller contract, the exchangeRate was instantaneously set to zero, rendering collateral checks ineffective, thus bypassing all liquidation and risk control mechanisms.
With just 1 wei collateral, the attacker borrowed a large amount of reUSD, converted the assets to ETH after laundering, and mixed them through Tornado Cash. The total estimated loss was approximately $9.5 million. Slow Mist founder Yuxian described this as a "rate inflation vulnerability."
In a hacker attack analysis report released on June 28, Resupply pointed out that the attack on the crvUSD-wstUSR trading pair resulted in approximately $10 million in reUSD bad debts, but this vulnerability only existed in specific token trading pairs, and other token trading pairs were unaffected, allowing the Resupply market to operate as usual. The debt limit for the affected token pairs has been set to 0, and withdrawals from the insurance pool have been suspended, requiring formal governance voting to lift the suspension. The problematic code segment had undergone multiple security audits, and independent researchers were hired to review the codebase, but no reports of the issue were made. Currently, the stolen funds remain on-chain, and monitoring of the situation is ongoing, with necessary measures to be taken.
The vulnerability itself is not complex, yet it breached the protocol's core security boundary. However, the real controversy began with the project's "remedial measures."
2. Project Team's Remediation: Governance Proposal Becomes "Harvesting Users"?
On June 29, the official team of the Resupply protocol initiated a remedial proposal in the community, claiming to "quickly fix the protocol operation" through community consensus.
The specific content of the proposal is as follows:
Phase 1: Immediate Governance Action
Destruction of insurance pool (IP) tokens: At the time of writing the proposal, the Resupply protocol treasury, Convex treasury, and C2tP had already paid 2,868,832 reUSD, with a total outstanding bad debt of 7,131,168 reUSD.
The proposal specifically stipulates:
6,000,000 ReUSD of bad debt will be burned from the insurance pool, accounting for 15.5% of the 38.7 million reUSD in the insurance pool.
The protocol will address ongoing bad debts to reduce the insurance pool's liabilities. Overall, this is $4 million less than the initial bad debt amount owed by the insurance pool.
The remaining bad debt ($1,131,168) will be repaid through future revenue sources, including but not limited to protocol fees and/or potential RSUP off-market sales plans, which will be decided later by the financial or governance departments.
IP Withdrawal Period:
The officials are making every effort to shorten the mandatory lock-up period for user funds in the insurance pool. To this end, the voting time for Resupply's voters on this proposal will be reduced to 3 days.
By utilizing a shorter voting window, the DAO can quickly make on-chain decisions on this proposal to benefit depositors and reach a final solution during the initial 7-day IP cooling-off period.
The DAO can choose to extend the regular voting period to 7 days after this proposal ends or explore other options, such as different voting times for standard and emergency votes.
Phase 2: Insurance Pool Retention Plan
Overview: The IP retention plan applies to users who were depositors in the insurance pool at the time this proposal is executed and were reduced in the above Phase 1. It is not intended to offset the reduction, although it may or may not do so; rather, it aims to incentivize users to stay in the insurance pool after the reduction through additional flowing RSUP tokens. Opting in is the default option, but users can exit at any time if they choose not to participate.
Opting out will allocate the additional incoming RSUP shares to the remaining shares. This plan requires the deployment of a contract, which will be announced at a later date once the contract is reviewed and deployed.
Project Revenue Sources: A dedicated RSUP release receiver will be created for the retention plan.
If approved, the proposal promises that the DAO will allocate a total of 2.5 million to the recipients over 52 weeks.
The core of the above proposal can be interpreted as:
Using 6 million reUSD from the insurance pool for burning to offset bad debts
Remaining $1.13 million in bad debts to be repaid from future protocol revenues
Issuing flowing RSUP rewards to users who stay in the insurance pool to stabilize confidence
Suspending withdrawal channels, compressing voting cycles, and accelerating governance approval
On the surface, the proposal appears to be a rapid "community collaboration," but the community generally views it as an "unconsulted user payment mechanism."
The insurance pool is meant to address market volatility, not to cover project deployment vulnerabilities; yet the proposal lacks any mention of recovering, holding accountable, reporting, or offering bounties for the hacker's funds. The project's first response was to use community assets to fill the gap rather than clarify the responsibility for the vulnerability.
Governance has become a tool for "shifting responsibility."
3. Community Outrage: Victims or Suckers?
After the attack, Resupply's Discord group quickly erupted. When some large LPs questioned "why should the insurance pool pay for technical errors," they were even kicked out or muted by the administrators.
User dissatisfaction focused on three levels:
Institutional Level: The protocol documentation did not clearly state that the insurance pool should cover developer errors, yet the project team unilaterally adjusted its purpose afterward.
Governance Level: The governance proposal was rushed through, and users did not have enough space to participate and discuss.
Emotional Level: After the attack, the project team displayed a lack of empathy and accountability, instead focusing on controlling risks, managing public opinion, and controlling emotions.
For example, on June 27, OneKey founder Yishi publicly called for Curve to provide a fair solution for every investor, returning user funds lost due to the project's serious technical errors.
He revealed that he was one of the three major investors in Resupply, with losses amounting to millions of dollars. He believes the attack stemmed from a "structural error" in the deployment of the ERC4626 treasury, where the attacker could almost mint shares at zero cost to drain the treasury.
He also pointed out that the project team not only attempted to shift the losses onto insurance pool users but also banned reasonable questioners in the Discord group. He stated that Curve, Convex, and Yearn had all supported Resupply in terms of technology, governance, or resources, and should not downplay their relationship afterward.
Community member @22333D posted a video accusing the Resupply team of various derelictions of duty, mainly including adopting a policy of appeasement after the hacker incident caused by a low-level error within the contract, not suspending, not reporting, not offering bounties, kicking people out of Discord, and claiming that the losses should be borne by users of the insurance pool, which was originally meant to guard against market volatility risks.
Slow Mist founder Yuxian added, "The project team is the first in history not to call for help or offer a bounty. If I were the attacker, I would be just as confused. Why hasn't the project team made a statement? Am I a black hat hacker or a white hat?"
Even the governance discourse has escalated to "racial discrimination." On June 28, OneKey founder Yishi posted that he encountered obvious racial slurs "chixx choxx" during communications with project members, which sparked significant public outrage. This term is widely regarded as an insulting expression towards the Chinese community, and many industry insiders immediately initiated a Slash action to support Yishi, emphasizing that "racial discrimination is unforgivable in any context."
Curve Founder Michael Plans to Sue: Not a Bystander, but a Victim?
On June 28, Yishi tweeted that Michael expressed his intention to sue him, accusing him of defaming Curve's reputation and expressing dissatisfaction, stating, "Honest people deserve to be bullied."
Michael's supporter @HaowiWang publicly responded, stating that this is no longer a debate of "who is right or wrong," but an attack on the systemic trust in the Curve brand. He listed five major "crimes" of Yishi:
1. Malicious Defamation and Fabrication of Facts: Yishi has repeatedly attributed the Resupply incident to Curve in community discussions and on Twitter, implying that Curve has actual control responsibility, misleading the public;
2. Damage to Reputation: As a public figure, Yishi directly or indirectly named Curve, causing the project to face a trust crisis within the Chinese community;
3. Organized Manipulation of KOC to Spread Misinformation: He can mobilize a large number of KOCs/KOLs within the OneKey ecosystem to guide public opinion and construct a narrative of "Curve as an accomplice";
4. Obvious Pressure to Cover Losses: By creating moral pressure with statements like "Curve is the biggest beneficiary" and "not responding is equivalent to default," he intends to make Curve cover the losses;
5. Complete Evidence Chain: Tweets, screenshots, group chat records, and the chain of retweets have formed the minimum threshold required for a lawsuit.
On the 29th, OneKey officially released a statement clarifying that it has never incited, organized, or manipulated any KOLs or users to launch public opinion attacks against Curve or any project. In response to the malicious accusations and false statements spread by certain individuals on social media platforms, OneKey will pursue legal accountability and will not tolerate such actions. Furthermore, founder Mr. Yishi is participating in the investment entirely in a personal capacity, and this is his personal behavior; no resources from OneKey's official channels were involved in the project. Additionally, all OneKey products are designed to be open-source, with no backdoors, and have been thoroughly audited by professional security teams such as SlowMist.
On the 30th, OneKey founder Yishi posted a screenshot of being blacklisted by Curve Finance with the caption "Graduated."
Conclusion: After the Crisis, What Remains is Not the Protocol, but the Rift
The Resupply incident began with a hacker attack and ultimately evolved into a comprehensive crisis surrounding governance responsibility, community communication, racial discrimination, and brand integrity.
This is not the first time DeFi has faced an attack, nor will it be the last. However, it may be the first time that, in the absence of a hacker response and without an apology from the project team, the community has been pushed into the position of "loss bearers."
In the DeFi world, the foundation of trust is not found in white papers or audit reports, but in the project team's "first response after an incident." Governance proposals may repair the protocol, but they cannot mend the torn community. The protocol may still be operational, but once trust is lost, it will not return.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
