Not tracking hackers, public relations out of control: A review of the $9.6 million theft incident of the DeFi protocol Resupply

Author: Fairy, ChainCatcher

Editor: TB, ChainCatcher

The first reaction after an incident often reveals the true nature of a team.

The decentralized stablecoin protocol Resupply was hacked for $9.6 million. What initially seemed like a "routine" DeFi security incident rapidly escalated within a few days: the project team remained silent, did not issue a statement, and did not offer a bounty, while OneKey's founder publicly defended investors. The incident quickly transformed from a technical issue into a conflict of values, affecting the underlying Curve ecosystem.

This is no longer a simple theft incident, but a chain collapse that spiraled out of control under the dual pressures of technical errors and governance arrogance.

Incident Review: From Security Incident to PR Disaster

On June 26, Resupply was attacked, resulting in a loss of approximately $9.5 million. After the incident, the team only released a brief tweet to explain the situation, but took no action to track the hacker or issue a bounty, raising doubts within the community.

At the same time, users reported being muted and removed after questioning on Discord, leading to a rapid deterioration of community atmosphere. OneKey founder Yishi publicly spoke out, revealing that as one of the three major investors in Resupply, he lost millions of dollars and pointed out that the project team was forcing the bad debts onto the insurance pool depositors, essentially making ordinary stakers pay for the technical errors.

On June 28, Resupply released an attack analysis report, stating that the vulnerability only affected specific token trading pairs, while the rest of the market was operating normally. They proposed a governance plan to use 6 million reUSD from the insurance pool to cover the bad debts, with the remaining portion planned to be gradually repaid through future protocol revenues. However, this move did not quell the "anger."

On June 29, Yishi spoke out again, criticizing the team for not holding anyone accountable at the first opportunity, but instead "directly taking money from users," even extending the unlocking period and restricting withdrawals. More seriously, the community was filled with insults and racist remarks.

In addition, DeFi researcher @22333D released multiple videos harshly criticizing the team for their lack of accountability after a basic contract error. The founder of SlowMist, Yu Xian, also publicly stated that he suggested including this incident in the top 10 worst handled security incidents in history for observation.

Ultimately, this security incident evolved into a multi-faceted crisis encompassing "dereliction of duty governance + public opinion suppression + community division."

The "Security Black History" of the Team Behind Resupply

In this attack, the hacker exploited a price manipulation vulnerability in the ResupplyPair contract, combined with an ERC4626 inflation vulnerability, to borrow approximately $10 million in reUSD using just 1 wei as collateral. However, this attack method is not complex; crypto KOL Zishi even referred to it as a "very basic common" mistake, highlighting the team's serious negligence in core contract design.

What is even more concerning is that the development team behind Resupply is not new to security controversies.

As early as March 2024, Resupply's predecessor, Prisma Finance, suffered a loss of over $11.6 million due to a hacker attack. Although the attacker claimed to be a white hat and left multiple messages on-chain, the incident ultimately ended without resolution, and nine months later, the Prisma project was officially shut down, leading to the launch of Resupply as its "successor."

Additionally, according to community users' compilations, the projects associated with this team have averaged nearly $10 million in losses each year over the past few years. (Note: Resupply is a subDAO protocol of Convex Finance and Yearnfi.) This abnormal "incident frequency" has led the community to question whether the team behind it is involved in self-theft.

Image source: @22333D

The Cracks of Eroding Trust: The Curve Ecosystem

As the public sentiment around Resupply intensified, Curve also found itself caught in the whirlpool of this trust crisis. Although the two are not the same team, their relationship is close. The Resupply protocol is built on the Curve ecosystem, relying on its liquidity pools and mechanisms for support. In the early stages, Curve's official team even endorsed Resupply.

Because of this, many users chose to stake and participate in the insurance pool on Resupply based on their trust in Curve. In terms of results, Resupply's growth did indeed benefit Curve.

Crypto KOL Crypto Weituo stated that after the Luna crash in 2022, Curve's TVL plummeted dramatically, and it continued to decline after multiple incidents, including Michael's house purchase, two hacks, stETH's depeg, and the FTX collapse.

After Resupply launched in March this year, it injected vitality into Curve, but now the "lifesaving plate" has fallen into controversy, bringing its old debts back to light.

In community discussions, some users began to claim they would boycott Curve ecosystem projects; others argued that Curve should not be held accountable for the technical errors of ecosystem projects. However, more users expressed disappointment with the Curve team and founder Michael's response afterward: eager to clarify their relationship with Resupply and leaning towards defending the Resupply project team in public statements.

Furthermore, after OneKey founder Yishi publicly defended investors, Michael not only claimed that he "would no longer use OneKey products" but also stated that he would sue Yishi for "damaging Curve's reputation."

The collapse of trust in Resupply stems not only from coding errors but also serves as a mirror reflecting the moral bottom line exposed by the project team during the crisis, revealing the ecosystem's lack of responsibility, transparency, and accountability during its expansion.

The aftermath of the incident will eventually subside, but the cracks in trust may never be fully repaired.