Exclusive interview with Resupply victims: Who should be held accountable for the 9.6 million dollars?

It has been a week since Resupply was hacked. On June 26, the stablecoin "wstUSR market" of the DeFi protocol Resupply experienced a security vulnerability, resulting in a loss of about $9.6 million in encryption assets. "Those who often walk by the river will inevitably get their shoes wet," DeFi OG player 3D released a series of videos on his YouTube channel for three consecutive days to advocate for rights. BlockBeats contacted 3D to discuss his experiences as a victim and the series of reflections following the hacking incident.

3D is one of the early users participating in the mining of this protocol, and his identity is both a mining player and a content creator. In this interview, we heard his doubts, emotions, and some of the unspoken rules in this industry. He talked about Curve's "default endorsement," the project's passive response to hackers, and also discussed the process of the community being blacklisted and humiliated while defending their rights.

Compared to the financial loss, what saddens him in the 3D narrative is the shaking of confidence in the industry. He admits that although he has not suffered the heaviest losses, he is the angriest— not because of money, but because of being ignored and humiliated as a user. His experience reflects the common plight of countless DeFi participants— unclear rights and responsibilities, no channels for safeguarding rights, and repeated retreat of moral bottom lines.

The following is the entire content of the conversation:

BlockBeats: Please have 3D make a simple self-introduction first.

3D: My online name is 3D, and my main work is still mining by myself. I entered the space during the ICO wave in 2017, but I really started to focus on Decentralized Finance and arbitrage from the DeFi Summer in 2020. At the same time, I also operate a YouTube channel focused on DeFi arbitrage - the 3D encryption channel.

BlockBeats:** Approximately how much capital has been affected? How should the scale of actual losses be estimated or measured?**

3D: The total amount of funds currently visible is basically the size of the insurance pool - approximately 38 million dollars.

BlockBeats: So what proportion do Chinese users occupy this time?

3D: I'm not very clear about this. However, the ones who stood out the most and spoke up the earliest to defend their rights are indeed Yishi and I, we are basically leading the charge. The Chinese users are more concentrated in voicing their opinions, of course, there are some English users as well, but overall the volume is relatively much smaller.

Resupply After the Theft Period

BlockBeats: What is the current solution?

3D: Simply put, our principal has directly lost 15.5%. The community is actually hoping they take action, after all, the total loss this time is about ten million dollars. One of their developers lost about 1.5 million, and they took about 800,000 from the treasury, just to show some goodwill, totaling just over 20%.

Their attitude seems to say, "Look, we lost money too, so don't pursue this any further." But the question is, why don't you use this money to communicate with the hacker? For example, "If you return the money, we can give you this part as a white hat reward," wouldn't that be a win-win situation? But they didn't do that at all.

**BlockBeats: Why choose this protocol for mining in the first place?

3D: I got involved in the Resupply project around early April. At that time, I saw a post related to it from someone I have been following on Twitter for a long time, and then I noticed that Curve's official account also retweeted it, which caught my attention.

In hindsight, from the perspective of project operation logic, it seems quite strange. It appears that they are not trying to make money for themselves, but rather to help Curve "boost" the usage of crvUSD. Since crvUSD itself has little practical use, they created a use case by designing a mechanism and then incentivized everyone to participate.

From our perspective as participants, it feels like an older brother wants to pull some platform data and sends his "little brother" to hold the fort, and Curve indeed provided him with some endorsement, so we didn't think there was any problem at the time.

For those of us involved in mining or arbitrage, when encountering new projects, we first evaluate two key points: the first is the product itself, how does it actually operate? Where does the money you earn come from? The second is the background of the project party, which means that both "on-chain" and "off-chain" information need to be thoroughly researched. In my judgment at the time, the logic of the Resupply product was relatively simple and intuitive.

BlockBeats: Then who do you think should be responsible after the incident? What key decisions did the Resupply team make after the event? If compared to mature Decentralized Finance protocol platforms, what are the obvious gaps in their response processes?

3D: I think their biggest problem in post-handling is that they have no awareness of crisis management at all. They didn't even do the most basic things at the earliest time. This is something everyone can check online, and the OG has mentioned it: they neither publicly addressed the hackers nor issued an announcement to explain the situation, let alone initiate any legal or accountability mechanisms—there wasn't even an attempt to communicate with the hackers; it was completely laissez-faire.

Other projects at least issue announcements, suspend contracts, contact white hats, and attempt to recover funds, but none of these basic operations were done. They act as if nothing has happened.

We also find it hard to understand why the project team is not actively communicating with the community. The whole incident has led to losses of nearly ten million, while their own team only contributed about 1.5 million, plus the project treasury provided around 800,000, which covers only about 20% of the losses. It all seems merely symbolic, a drop in the bucket.

Their attitude is basically, "Look, we lost money too, so stop bothering us." But the problem is that they could clearly take this money to negotiate with the hackers, stating that as long as they return the money, it will be treated as a white hat reward, and everyone would be happy. However, they did not take this measure at all.

3D's message on the Resupply official forum suggested trying to negotiate with hackers using a white hat bounty approach, but has not received a response.

The first point is that they have been extremely passive in pursuing the hacker's assets, even completely inactive. It has been several days since the incident occurred last Thursday, and there is still no substantial progress.

The second point is their extremely arrogant and indifferent attitude towards the community. As soon as the issue arose, many of our users went to Discord to inquire, but they simply characterized it as "the insurance pool people should bear the losses," leaving no space for basic discussion. We questioned their approach, stating that the documentation did not indicate that users needed to bear such losses, and as a result, we were ridiculed, attacked, and even directly banned.

They also said, "If you earn an annual return of 17%, you have to bear the corresponding risks." This logic is fundamentally flawed; we are merely participating in a strategy with an annual return of 17%, which does not mean we are fully responsible for the protocol being hacked.

The feedback from our group is very consistent; it's not the loss of money that hurts the most, but the experience of being insulted and blocked on Discord that is even more infuriating. The reason this incident has triggered such a strong reaction is due to two core factors: the inaction of the project team and their contempt for users.

If they really can't afford the loss, they could make it clear, for example, by first putting out 3 million, and letting all users share the remaining 7 million proportionally, which is still better than the current situation. But their approach is to directly "pull out" the users of the insurance pool to bear all the responsibility. Their purpose in doing so is also very clear, which is to want to preserve the continued operation of the protocol and not let the project die.

The most ironic thing is that, looking at the announcement they made at the time, it hardly mentioned the amount of losses, only casually stating that they encountered a vulnerability and suspended one market, while everything else continued as usual. This way of disclosing information is very irresponsible.

More seriously, hackers minted ten million stablecoins at zero cost through a vulnerability and sold them on the market, directly breaking the original over-collateralization mechanism, leaving the stablecoins with no sufficient assets to back them. In this situation, the project team still did not pause the protocol, allowing users to withdraw their investments on their own.

The result is that those fast-running users withdrew, while the people in the insurance pool were completely locked out due to a 7-day withdrawal delay. Even more ridiculous is that they initiated a new proposal to suspend withdrawals from the insurance pool, further freezing users' assets. As for their claim that "bad debts should be borne by the insurance pool," there is simply no precedent for this in DeFi protocols. They have once again crossed the industry bottom line, with no governance rationality whatsoever.

BlockBeats: Have there been any projects in the past that used this insurance pool to cover losses?

3D: The insurance pool has no black accounts at all.

There are only three ways to participate in the Resupply project: staking, circular lending, and forming LP. From the users' perspective, staking is for those seeking stability, yet they now have to bear all the risks. The core issue lies in users' expectations of the insurance pool; we all believe that we only need to bear the bad debts caused by market fluctuations.

I once made an analogy about the insurance pool, which might not be very precise, but it conveys the general idea. It's like when you buy a financial product on Binance, and then Binance gets hacked. It tells you, "Aren't you here to deposit money? Then we all bear the loss together, especially you users who bought the financial products." In the end, the losses are only deducted from the funds of the financial product users, while others are unaffected.

In fact, some exchanges were hacked in the past, and all users shared the losses proportionally, but this time it's different. They only let the wealth management users bear all the losses. Their logic is: "If you want to earn a 2% annual interest, you have to take responsibility for it." Some even say things like "there's no such thing as a free lunch," meaning if you took a 17% annual return, you deserve to bear the losses from this hack. This kind of statement is absurd.

What role did Curve play in this turmoil?

BlockBeats: You mentioned that you participated in Resupply because you trusted Curve. What kind of relationship do you think exists between Resupply and Curve? Do you think Curve's "cutting" attitude after the event is reasonable?

3D: I think this can be viewed from two levels. The first is the surface logic - this project indeed serves Curve and backs it up; it is also a project within the Curve ecosystem.

But on the other hand, a person with normal judgment would make a reasonable inference: if you look at the design of this protocol, it is basically to provide services for Curve, in other words, it plays the role of a "little brother". Otherwise, its existence is almost meaningless; its core logic is to use its own coin to subsidize the income of Curve's protocol.

You said that this kind of selfless and purely philanthropic act, unless it is true love, who would do it? Especially its token, at that time I thought this project wouldn't last a month, because the overall story was not very appealing; ultimately, it was just to bring some new volume to Curve's stablecoin, with no substantial content.

But later you see, the price actually stabilized and stayed stable for a long time. I was thinking at the time, who is propping it up? After thinking about it, the most reasonable explanation is that Curve is propping it up itself. Who benefits from it and who has the most motivation to stabilize the situation - this is a common sense reasoning. Although there is no solid evidence, as long as one has a normal brain, they can probably think of this point.

Resupply native token price trend

Before the incident, Curve loudly proclaimed that this was a good project, but now that something has happened, they immediately distanced themselves, saying "it's just an ecosystem project, has nothing to do with me." This attitude is just like some news we often see: once something goes wrong, it's always "the temp workers' fault." Now even we users have been banned; how serious has this situation become?

Without the endorsement of Curve, Resupply would not be able to raise so much money at all. The reason we are participating is not because of its development team—in fact, this team's reputation is not good. If they were to do a project on their own, we definitely would not participate.

There are two reasons that truly made us choose to participate: first, its business model revolves around Curve's stablecoin, which logically equates to helping Curve grow; this binding relationship feels relatively safe; second, Curve's official team publicly acknowledged this project at that time, and even took actions to endorse it.

As for what you said about the project team having a dark history, it is indeed true, but this time they did not change their identity; instead, they continued to use their original identity to carry out the project, which in a way can be considered a form of "real-name" responsibility.

BlockBeats: Should Curve's official promotion and endorsement of Resupply bear joint responsibility in this event? What do you think about the conflict of interest between the ecological party's "post-event disavowal" and "pre-event promotion"?

3D: I think Curve's "cutting" behavior after the incident is completely unreasonable. Even if I'm just a small KOL, if I had previously recommended a certain mining pool, even if I didn't receive a single penny and have no vested interest, if something goes wrong with that mine, I would be the first to speak up and inform my followers about the current issue. I would follow up on it.

When Curve was initially running smoothly, they actively endorsed the project, but when issues arose, they adopted a "not my problem" attitude, saying a few words of "regret" and then distancing themselves completely. Such behavior is really hard to accept.

How to Avoid Pitfalls in Mining?

BlockBeats: What is the biggest difficulty for DeFi users in protecting their rights currently?

3D: The core issue lies in unclear responsibilities and rights, compounded by the lack of regulation in the entire industry. In this situation, protecting one's rights is actually very difficult.

If you are a user in the United States, the situation may be somewhat better. This is because the U.S. has long-arm jurisdiction, allowing for legal action to hold parties accountable across borders, and it may even be possible to recover some funds and report losses to the government. However, for us, there are basically no such channels.

BlockBeats: So what are the ways for these affected large holders to protect their rights currently?

3D: No, otherwise who would want to be a clown on the internet?

Ultimately, we really have no effective channels for protecting our rights. As long as the project party is determined to be irresponsible, users can only rely on themselves to voice their concerns and organize actions. This incident has had a particularly strong impact on me, even though the financial loss isn't significant, because I feel it is an insult. If all project parties maintain this attitude, then this industry simply cannot continue.

To be honest, this is really disheartening. Today it’s me getting scammed, tomorrow it might be you. As long as you are still in this circle, you will always encounter similar situations. As the old saying goes: "True heroism is choosing to love after seeing the truth." We can only view this industry in that light. Solving the problem relies on the project parties having some moral baseline, and on the other hand, the industry also needs basic self-discipline.

BlockBeats: What information do you focus on verifying when a project is newly launched or still in its promotional phase?

3D: When a project has just launched or is still in the promotional phase, I usually focus on several key aspects.

The first is the business model. How does this project make money? Where does the profit come from? This is the most basic but also the most critical question.

Second, there is the information within the exchange, which is the operating mechanism of the protocol itself, such as whether the inflow and outflow of funds are smooth, and whether there are any "bottlenecks"—for example, whether there are time locks on entering and exiting funds, or whether high transaction fees are charged. These directly relate to user experience and risk.

Third is the off-site information. I want to see if this team has done projects before, whether they are anonymous, whether there are investment institutions supporting them, who is behind it, and if I can find out some background information.

In addition, I will also actively chat on the project's Discord to see their response attitude and whether the team is reliable. Some people look at the audit report, but I want to remind you of one thing: many projects that have encountered problems have actually gone through audits. An audit can at most indicate whether the project party is willing to spend money to go through the process, but it does not represent that the project is really safe.

BlockBeats: Do you still have confidence in the Curve ecosystem, insurance mechanisms, and stablecoin system?

3D: Curve's current situation is actually quite awkward. Its original ecological niche was mainly to solve the problem of trading depth for stablecoins in Uniswap V2. Because V2's constant product market-making mechanism performs poorly between stablecoins, a lot of capital needs to be piled up to create depth. Curve proposed a smoother curve design at that time, focusing on stablecoin exchanges. It can be said that it initially stood firm in DeFi through this differentiation, with a clear logic as an infrastructure product. But now, with the business pressure from Floyd, I feel it is on a downhill path, although I still have confidence in the stablecoin system.

I have actually been particularly anxious lately. Although my personal losses this time are not substantial, the biggest blow to me is not the money, but the confidence. I have been in this industry for a long time; I can't say that I love it, but at least I have been invested for a long time. But now, I am starting to seriously doubt the sustainability of this industry—if all project teams are like this time, then this industry simply cannot continue.

Yishi has withdrawn all the miners and now only plans to hoard Bitcoin, not touching anything else. You think our 15.5% loss this time is equivalent to the annualized return of a year of mining being wiped out. What we were doing was a relatively low-risk strategy, not some high-leverage, daily profit of dozens of times type of play. After working hard for a year to earn 15 points, now it's all gone in a day, who can stand it?