A week has passed since Resupply was stolen. On June 26, a security vulnerability occurred in the stablecoin wstUSR market of the DeFi protocol Resupply, resulting in a loss of about $9.6 million in crypto assets. If you walk by the river, you will get your feet wet. DeFi OG player 3D posted rights protection videos on his Youtube channel for three consecutive days. BlockBeats contacted 3D and talked to him about a series of reviews after the theft as a witness to the loss.
3D is one of the early users who participated in the mining of this protocol. He is both a mining player and a content creator. In this interview, we heard his doubts, emotions, and some unspoken rules in this industry that are unwilling to be stated. He talked about Curves default endorsement, the projects passive response to hackers, and the process of the community being blacklisted and humiliated when defending their rights.
Compared with the loss of money, what chilled him in 3Ds story was the shaken confidence in the industry. He admitted that although he did not suffer the most losses, he was the most angry - not because of the money, but because of his identity as a user who was ignored and humiliated. His experience reflects the common dilemma of countless DeFi participants - unclear rights and responsibilities, no way to protect rights, and repeated concessions in moral bottom line.
The following is the full content of the conversation:
BlockBeats: Please give a brief self-introduction first.
3D: The name I use on the Internet is 3D. My main job at the moment is still mining by myself. I have entered the circle since the ICO round in 2017, but I really started to focus on DeFi and arbitrage from the DeFi Summer wave in 2020. At the same time, I also operate a Youtube channel focusing on DeFi arbitrage-3D Crypto Channel.
BlockBeats: How much money has been lost so far? How can the actual scale of the loss be estimated or measured?
3D: The total amount of funds currently available is basically the size of the insurance pool - approximately US$38 million.
BlockBeats: So what proportion of users are Chinese this time?
3D: I’m not sure about this. But the two people who stood up to defend their rights the loudest and the earliest were indeed me and Yishi. We were the first to speak out. Chinese users were more likely to speak out, and of course there were some English users as well, but the overall volume was much smaller.
The period after the resupply was stolen
BlockBeats: What are the current solutions?
3D: Simply put, our principal was directly lost by 15.5%. The community actually hopes that they will take action, after all, the total loss is about 10 million US dollars. A developer on their team contributed about 1.5 million, and they took about 800,000 from the treasury, which is just over 20% in total.
Their attitude is like, Look, we have also lost money, dont pursue it anymore. But the question is why dont you use the money to communicate with the hacker? For example, If you return the money, we will give you this part as a white hat reward. Wouldnt that make everyone happy? But they didnt do it at all.
BlockBeats: Why did you choose this protocol for mining?
3D: I participated in the Resupply project in early April. When I was browsing Twitter, I saw someone I had been following for a long time posting related content, and later I saw that Curve officials also retweeted it, which caught my attention.
In hindsight, the logic of the project operation is quite strange. It does not seem to want to make money for itself, but more like helping Curve to boost the usage of crvUSD. Because crvUSD itself has no practical use, it forcibly created a use case through the design mechanism, and then used incentives to guide everyone to participate.
From the perspective of us participants, this is like a big brother who wants to pull up the platform data, so he asks his little brothers to support him, and Curve did give him some endorsement, so we didnt think there was any problem at the time.
For people like us who do mining or arbitrage, when we encounter a new project, we will first evaluate two key points: the first is the product itself, how does it work? Where does your money come from? The second is the background of the project, that is, the so-called on-site and off-site information must be fully researched. In my judgment at the time, the logic of the Resupply product was relatively simple and intuitive.
BlockBeats: Who do you think should be held responsible after the incident? What key decisions did the Resupply team make after the incident? If compared with mature DeFi protocol platforms, what are the obvious differences in their response processes?
3D: I think the biggest problem they had in handling the incident afterwards was that they had no sense of crisis response. They didn’t even do the most basic things at the first time. Everyone can check this online, and Yu Xian also mentioned it: they neither publicly called out the hackers, nor issued a notice to explain the situation, nor did they initiate any legal or accountability mechanisms - they didn’t even try to communicate with the hackers, they just let it go.
Other projects would at least issue announcements, suspend contracts, contact white hats, and try to recover funds, but they didn’t do these basic operations. They just pretended nothing happened.
We also don’t understand why the project team didn’t actively communicate with the community. The entire incident resulted in a loss of nearly 10 million, and one developer in their team only contributed about 1.5 million, plus about 800,000 from the project treasury, which only covered about 20% of the loss. No matter how you look at it, this is just a symbolic meaning, a drop in the bucket.
Their attitude was basically, Look, weve already lost money, so stop bothering us. But the problem is that they could have used the money to negotiate with the hackers, saying that as long as you return the money, it would be a white hat reward, and everyone would be happy. But they didnt take this approach at all.
3D left a message on the official forum of Resupply, suggesting to try to negotiate with the hacker with the white hat bonus method, but he has not received a reply
The first point is that they are extremely passive in recovering the hackers assets, or even completely inactive. Several days have passed since the incident last Thursday, and there has been no substantial progress.
The second point is that they are extremely arrogant and indifferent to the community. When the incident happened, many of our users went to Discord to ask about it, but they directly said that the people in the insurance pool will bear the losses without even having basic discussion space. We questioned their approach, saying that the document did not state that users need to bear such losses, but we were ridiculed, attacked, and even directly blocked.
They also said, If you earn an annualized return of 17%, you must bear the corresponding risks. This logic is totally untenable. We are just participating in a strategy with an annualized return of 17%, which does not mean that we have to bear all the responsibility for the theft of the protocol.
The feedback from our group was consistent. It was not the loss of money that was the most painful, but the experience of being humiliated and blocked in Discord that was more infuriating. There are two core reasons why this incident caused such a strong reaction: the inaction of the project team and their contempt for users.
If they really cant afford to pay, they can make their position clear, for example, take out 3 million first, and let all users share the remaining 7 million in proportion, which is better than now. But their way of dealing with it is to directly take out the users of the insurance pool to bear all the responsibility. Their purpose of doing this is also very clear, which is to keep the agreement running and prevent the project from dying.
The most ironic thing is that looking at the announcement they issued at the time, there was almost no mention of the amount of loss. They only said lightly that they encountered a loophole and suspended one market, and everything else was normal. This way of disclosing information is very irresponsible.
What’s more serious is that hackers minted 10 million stablecoins at zero cost through loopholes and sold them on the market, directly breaking the original over-collateralization mechanism, making it so that there is no longer enough asset support behind the stablecoin. In this case, the project party still did not suspend the agreement and let users withdraw their funds on their own.
The result is that those users who ran fast withdrew, while those in the insurance pool were completely locked out because of the 7-day delay in withdrawal. What’s even more outrageous is that they launched a new proposal to suspend withdrawals from the insurance pool and further freeze user assets. As for their statement that “bad debts should be borne by the insurance pool”, there is no precedent for this in the DeFi protocol. They have once again broken the bottom line of the industry, and there is absolutely no rationality in governance.
BlockBeats: Have any projects used this insurance pool to cover losses in the past?
3D: The insurance pool does not cover any black accounts.
There are only three ways to participate in the Resupply project: staking, revolving loans, and forming LPs. In fact, from the perspective of user expectations, staking is the most stable group of people in the group, but now they have to bear all the risks. The core problem lies in the users expectations of the insurance pool. We all think that we only need to bear the bad debts caused by market fluctuations.
I made an analogy about the insurance pool at the time, which may not be very accurate, but it is roughly this meaning. It is like you bought a wealth management product on Binance, and then Binance was stolen. It tells you, Arent you here to deposit money? Then everyone will bear the loss together, especially you users who bought wealth management products. In the end, the loss will only be deducted from the funds of the wealth management users, and other people will not be affected.
In fact, in the past, when some exchanges were stolen, all users had to bear the losses in proportion, but this time it was not the case. They only let the financial management users bear all the losses. Their logic is: If you want to get 2% annualized interest, you have to take responsibility for it. Some people even say there is no free lunch in the world, meaning that if you get 17% annualized return, you deserve to bear the loss of this theft. This statement is too outrageous.
What role did Curve play in this storm?
BlockBeats: You mentioned that you participated in Resupply because you trusted Curve. So what kind of relationship do you think exists between Resupply and Curve? Do you think Curves cutting off attitude after the incident is reasonable?
3D: I think this can be viewed from two levels. The first is the superficial logic - this project does serve Curve, endorses Curve, and is also a project in the Curve ecosystem.
But on the other hand, anyone with a bit of judgment will make a reasonable inference: the design of this protocol is basically to provide services to Curve, in other words, it is a little brother. Otherwise, its existence is almost meaningless, and its core logic is to use its own mining coins to subsidize Curves protocol income.
You said that this kind of thing, which is purely for blood transfusion and does not seek anything in return, who would do it unless it is true love? Especially its tokens. At that time, I thought that this project would not last more than a month, because the overall story was not attractive. In the final analysis, it was just to bring some new volume to Curves stablecoin, without any substantial content.
But then you see, the price actually stabilized, and it remained stable for a long time. I was wondering at the time, who was supporting the bottom? After thinking about it, the most reasonable explanation is that Curve itself was supporting it. Whoever benefits from it has the most motivation to stabilize the situation - this is common sense reasoning. Although there is no solid evidence, anyone with a normal mind can probably think of this.
Resupply native token price trend
Before the incident, Curve loudly said that this was a good project. Now that the incident has happened, they immediately distanced themselves from the issue, saying its just an ecological project, it has nothing to do with me. This attitude is the same as some of the news we usually see: once something goes wrong, its the work of a temporary worker. Now even users like us have been banned. How serious do you think this matter has gotten?
Without Curves endorsement, Resupply would never have been able to raise so much money. The reason we participated was not because of its development team - in fact, the teams reputation is not good. If they were just doing a project alone, we would definitely not participate.
There are two reasons why we chose to participate: first, its business model revolves around Curves stablecoin, which logically means helping Curve grow. This binding relationship makes people feel relatively safe; second, Curve officials also publicly acknowledged the project at the time and even endorsed it.
As for what you said about the project party having a dark history, it is true, but this time they did not change their identities, but continued to use their original identities to do the project, which to some extent can be regarded as a kind of real name responsibility.
BlockBeats: Does Curve need to bear joint liability for its official promotion and endorsement of Resupply in this incident? How do you view the conflict of interest between the ecosystems post-clearance and pre-promotion?
3D: I think Curve’s “cutting” behavior after the incident is completely unreasonable. Even if I am a small KOL, if I have recommended a mining pool before, even if I did not receive a penny and had no interest in it, if something happened to the mining pool, I would speak out immediately and tell people who follow me what is wrong and I would follow up.
Curve actively endorsed the project when it was running smoothly at the beginning, but when the project ran into problems, it acted as if it had nothing to do with me, said a few words of regret, and then distanced itself from the project. Such behavior is really unacceptable.
How to avoid pitfalls in mining?
BlockBeats: What is the biggest difficulty for DeFi users to protect their rights at present?
3D: The core of the problem is that the responsibilities are not clear, and the entire industry itself lacks supervision. In this case, it is actually very difficult to protect rights.
If you are a US user, the situation may be slightly better because the US has long-arm jurisdiction and can pursue cross-border accountability through legal means, and may even be able to recover some funds and report losses to the government. But for us, there is basically no such channel.
BlockBeats: So what methods do these large investors currently have for protecting their rights?
3D: No, otherwise who would want to be a clown on the Internet?
In the final analysis, we have no effective channels for defending our rights. As long as the project owners are determined to be irresponsible, users can only speak out and organize actions on their own. Although the economic loss to me in this incident is not large, I reacted strongly because I think it is an insult. If all project owners hold this attitude, then this industry will not be able to continue.
To be honest, this is really chilling. Today I was cheated, tomorrow it could be you. As long as you are still in this circle, you will always encounter similar things. As the old saying goes, True heroism is to choose to love after seeing the truth. We can only look at this industry in this way. To solve the problem, on the one hand, the project party needs to have a moral bottom line, and on the other hand, the industry also needs to have basic self-discipline.
BlockBeats: When a project is just launched or is still in the promotion period, what information will you focus on verifying?
3D: When a project is just launched or is still in the promotion period, I usually focus on several aspects.
The first is the business model. How does this project make money? Where does the profit come from? This is the most basic but also the most critical question.
The second is on-site information, that is, the operating mechanism of the protocol itself, such as whether the inflow and outflow of funds are smooth, and whether there are any stuck points - for example, whether there is a time lock for the inflow and outflow of funds, or whether high handling fees are charged. These are directly related to user experience and risks.
The third is off-market information. I want to see if the team has done any projects before, whether they are anonymous, whether they have investment institutions to support them, who is behind them, and whether I can get some background information.
In addition, I will take the initiative to chat with the project party on Discord to see their response attitude and whether the team is reliable. Some people will look at the audit report, but I would like to remind you that many projects that have problems now have actually been audited. The audit can only show whether the project party is willing to spend money to go through the process, and it does not mean that the project is really safe.
BlockBeats: Do you still have confidence in the Curve ecosystem, insurance mechanism, and stablecoin system?
3D: Curve is in an awkward situation now. Its original ecological niche was mainly to solve the problem of Uniswap V2 in the depth of stablecoin transactions. Because V2s constant product market-making mechanism does not perform well between stablecoins, a lot of funds must be piled up to pull out the depth. At that time, Curve proposed a smoother curve design and focused on stablecoin exchange. It can be said that it relied on this differentiation to gain a foothold in DeFi from the beginning. As an infrastructure product, the logic is very clear. But now with Floyds business pressure, I think it is on the decline, but I still have confidence in the stablecoin system.
I have been very anxious recently. Although I didnt lose much money this time, the biggest blow to me was not money, but confidence. I have been in this industry for a long time. I cant say I love it, but at least I have invested in it for a long time. But now, I have begun to seriously doubt the sustainability of this industry - if all project parties are like this time, then this industry will not be able to continue.
Yishi has withdrawn all the mines and now only plans to hoard Bitcoin and not touch anything else. You can imagine that our 15.5% loss this time is equivalent to the annualized income of mining for one year directly reduced to zero. What we originally did was a relatively low-risk strategy, not a high-leverage, daily profit-making game. After working hard for a year to earn 15 points, it is gone in one day. Who can bear it?