Reflections After the Theft Incident: Voices of the Victims of the DeFi Protocol Resupply

It has been over a week since Resupply was hacked. On June 26, the "wstUSR market" of the DeFi protocol experienced a security vulnerability, resulting in a loss of nearly $9.6 million in crypto assets. As one of the early users participating in mining for the protocol, 3D posted rights protection videos on its Youtube channel for three consecutive days.

3D is both a miner and a content creator. In this interview, we heard his doubts and emotions regarding this incident, as well as some unspoken rules within the industry. He discussed Curve's "default endorsement", the project's passive response to hacker attacks, and the obstacles and humiliation the community faces in the process of protecting their rights.

Compared to the loss of money, what is more disheartening for the 3D is the shake of confidence in the industry. He admits that although he is not the victim with the heaviest losses, he may be the angriest one—not because of money, but because the identity of users has been ignored and humiliated. His experience reflects the common dilemma faced by many DeFi participants: unclear responsibilities, no access to rights protection, and a continuously declining moral bottom line.

The following is the entire content of the conversation:

Please, 3D, make a simple self-introduction first.

My online name is 3D, and I am currently mainly engaged in independent mining work. I entered the cryptocurrency space during the ICO boom in 2017, but I really started to focus on Decentralized Finance and arbitrage from the DeFi Summer wave in 2020. At the same time, I also run a YouTube channel focused on DeFi arbitrage—3D Crypto Channel.

How much capital is currently estimated to be affected? How can the scale of actual losses be estimated or measured?

The total visible fund scale is basically the size of the insurance pool, approximately 38 million USD.

So what percentage of Chinese users approximately accounted for this time?

I'm not too sure about this. However, the ones who stood up the earliest and the loudest to defend their rights were indeed Yishi and I; we were the ones leading the charge. The Chinese users have been more concentrated in voicing their opinions, and of course, there are some English users as well, but the overall volume is relatively much smaller.

What is the current solution?

In simple terms, our principal has directly lost 15.5%. The community is very hopeful that the project party will take action, after all, the total loss this time is nearly ten million dollars. One of their developers took out about 1.5 million, and also took out about 800,000 from the treasury, totaling just over 20%.

Their attitude is like saying, "You see, we also suffered losses, so don't investigate further." But the question is, why not use this money to communicate with the hackers? For example, "If you return the money, we will give you this part as a white hat reward," wouldn't that make everyone happy? But they didn't do that at all.

Why did we choose this protocol for mining in the first place?

I started participating in the Resupply project around early April. At that time, I saw a long-time person I follow posting related content on Twitter, and later I saw that an official trading platform also retweeted it, which caught my attention.

Looking back now, the operation logic of the project is quite strange. It seems that it is not trying to make money for itself, but rather is helping a certain trading platform to "boost" the usage of a certain stablecoin. Because that stablecoin itself has no practical use, it has forcibly created a usage scenario through designed mechanisms, and then guided everyone to participate through incentives.

From the perspective of us participants, this matter feels like a big platform wants to boost its data, so it calls on its "little brother" to help, and a certain trading platform indeed provided some endorsement, so at that time we didn’t feel there was any problem.

For those of us engaged in mining or arbitrage, when encountering new projects, we will first evaluate two key points: the first is the product itself, how does it actually operate? Where does the money you earn come from? The second is the background of the project party, which means that both "on-chain" and "off-chain" information need to be thoroughly researched. In my judgment at that time, the logic of the Resupply product was relatively simple and straightforward.

So who do you think should be responsible after the incident? What key decisions did the Resupply team make after the incident occurred? If compared to mature Decentralized Finance protocol platforms, what obvious gaps are there in their response process?

I think their biggest problem in post-event handling is a complete lack of crisis response awareness. They didn't even do the most basic things at the first moment. This is something everyone can find online, and a certain big shot has also mentioned: they neither publicly addressed the hackers nor issued any announcements explaining the situation, and they didn't initiate any legal or accountability mechanisms—there wasn't even an attempt to communicate with the hackers; it was completely laissez-faire.

Other projects at least issue announcements, pause contracts, contact white hats, and attempt to recover funds; they haven't done any of these basic operations. They act as if nothing has happened.

We also find it hard to understand why the project team is not actively communicating with the community. The whole incident has resulted in losses close to ten million, while their own team contributed only around 1.5 million, plus about 800,000 from the project treasury, which only covers about 20% of the losses. It seems like just a symbolic "gesture", a drop in the bucket.

Their attitude is basically "Look, we lost money too, so stop bothering us." But the problem is that they clearly could have taken this money to negotiate with the hacker, making it clear that as long as you return the money, this would be considered a white hat reward, and everyone would be happy. Yet they completely did not take this measure.

The first point is that they have been extremely passive in pursuing the hacker's assets, even completely inactive. It has been a few days since the incident occurred last Thursday, and there is still no substantial progress.

The second point is that their attitude towards the community is extremely arrogant and indifferent. When the incident happened, many of our users immediately went to their community to inquire, but they directly labeled it as "the insurance pool people will bear the losses," leaving no room for basic discussion. When we questioned their approach, stating that the documentation did not mention users needing to bear such losses, we were met with sarcasm, attacks, and even direct account bans.

They also said, "You earned a 17% annualized return, so you have to bear the corresponding risks." This logic is fundamentally flawed; we are merely participating in a strategy with a 17% annualized return, which does not mean we should be fully responsible for the protocol being hacked.

The feedback from our group is very consistent; it's not the loss of money that hurts the most, but the experience of being humiliated and blacklisted in the community that is even more infuriating. The reason this incident has triggered such a strong reaction boils down to two core issues: the project party's inaction and their contempt for users.

If they really can't afford the loss, they can make a clear stance, such as taking out 3 million first, and letting all users share the remaining 7 million proportionally, which is better than the current situation. But their approach is to directly "pick out" the users of the insurance pool to bear all the responsibility. Their purpose in doing so is also very clear: they want to ensure the continued operation of the protocol and prevent the project from dying.

Ironically, if you look at the announcement they issued at the time, it hardly mentions the amount of loss, only vaguely stating that they encountered a vulnerability and suspended one market, while everything else continued as normal. This manner of information disclosure is very irresponsible.

Even more seriously, hackers exploited vulnerabilities to mint ten million stablecoins at zero cost and sold them on the market, directly breaking the originally over-collateralized mechanism, resulting in the stablecoins no longer having sufficient assets to back them. In this situation, the project team still did not pause the protocol, allowing users to withdraw their investments on their own.

The result is that those quick-responding users withdrew, while the insurance pool participants were completely locked due to a 7-day withdrawal delay. Even more outrageous is that they initiated a new proposal to suspend withdrawals from the insurance pool, further freezing users' assets. As for their claim that "bad debts should be borne by the insurance pool," there is simply no precedent for this in Decentralized Finance protocols. They have once again crossed the industry's bottom line, with no governance rationale whatsoever.

Have there been any projects in the past that used this insurance pool to cover losses?

The insurance pool does not bear any black accounts.

There are only three ways to participate in the Resupply project: staking, circular lending, and forming LPs. From the perspective of user expectations, staking involves the most risk-averse group of people, yet they now have to bear all the risks. The core issue lies in users' expectations of the insurance pool; we all believe that we only need to bear the bad debts caused by market fluctuations.

I once made an analogy about the insurance pool, which might not be very precise, but it roughly means this: it's like when you buy a wealth management product on a certain trading platform, and then that platform gets hacked. It tells you, "Weren't you here to deposit money? Then everyone should share the loss, especially you users who bought the wealth management products." In the end, the losses are only deducted from the funds of the wealth management users, and others are not affected.

In fact, some exchanges were hacked in the past, and all users shared the losses proportionally, but this time it is different. They only let the investment users bear the entire loss. Their logic is: "If you want to enjoy an annual interest of 2%, you have to take responsibility for it." Some even say that "there's no such thing as a free lunch," meaning that if you took a 17% annual return, you deserve to bear the losses from this hack. This reasoning is too absurd.

You mentioned that you participated in Resupply because you trusted a certain trading platform. What kind of relationship do you think exists between Resupply and that trading platform? Do you think the "cut-off" attitude of that trading platform after the incident is reasonable?

I think this can be viewed from two levels. The first is the superficial logic - this project indeed serves a certain trading platform and also endorses a certain trading platform; it is itself a project within the ecosystem of a certain trading platform.

On the other hand, a person with normal judgment would make a reasonable inference: looking at the design of this protocol, it is fundamentally meant to provide services for a certain trading platform, in other words, it plays the role of a "younger brother". Otherwise, its existence is almost meaningless, as its core logic is to use its own mining coin to subsidize the protocol revenue of a certain trading platform.

You say that this kind of selfless, purely philanthropic act, unless it's true love, who would do it? Especially its tokens, at that time I thought this project wouldn't last a month, because the overall story is not appealing; in the end, it's just to bring some new volume to the stablecoin of a certain trading platform, with no substantial content.

But later you see, the price actually stabilized and stayed stable for a long time. I was wondering, who is propping it up? After thinking it over, the most reasonable explanation is that a certain trading platform is propping it up themselves. Who benefits from this, who has the most motivation to stabilize the situation - this is a common sense reasoning. Although there is no concrete evidence, as long as one has a normal mind, they can probably think of this.

Before the incident happened, a certain trading platform loudly proclaimed that this was a good project. Now that something has gone wrong, they immediately distanced themselves, saying "it's just an ecological project, has nothing to do with me." This attitude is just like what we see in some news: once something goes wrong, it becomes "the temp workers' doing." Now even we users have been banned from our accounts; how serious has this situation become?

Without the endorsement of a certain trading platform, Resupply would not be able to raise so much money at all. The reason we are participating is not because of its development team - in fact, this team's reputation is not good. If it were just them doing a project alone, we would definitely not participate.

There are two reasons that truly led us to choose to participate: first, its business model revolves around the stablecoin of a certain exchange platform, which logically means it helps that exchange platform grow, and this binding relationship feels relatively secure; second, the official from that exchange platform publicly acknowledged this project at that time, even endorsing it.

As for what you said about the project team having a dark history, it is indeed true, but this time they did not change their identity; instead, they continued to use their original identity to run the project, which in a way can be considered a form of "real-name" accountability.