Interview with a Resupply Victim: Who Should Be Held Responsible for This $9.6 Million?

It has been a week since the Resupply hack. On June 26, the DeFi protocol Resupply's stablecoin "wstUSR Market" experienced a security vulnerability, resulting in a loss of approximately $9.6 million in crypto assets. As the saying goes, "If you walk by the river long enough, you will get your shoes wet." DeFi OG player 3D released a series of videos on his YouTube channel for three consecutive days seeking justice. BlockBeats reached out to 3D to discuss his firsthand experience as a victim of the hack and the subsequent events that unfolded.

3D was one of the early users to participate in the protocol's mining. He is both a miner and a content creator. During the interview, we heard his doubts, emotions, and some unspoken rules in the industry. He mentioned Curve's "implicit endorsement," the project team's passive response to the hacker, and the community's experience of being ostracized and humiliated during the justice-seeking process.

Compared to the monetary loss, what shook 3D the most, as he described, was the erosion of confidence in the industry. He admitted that while he did not suffer the heaviest financial loss, he was the angriest—not because of the money but because of the neglect and humiliation of users' identities. His experience mirrors the common plight of countless DeFi participants—unclear responsibilities, lack of avenues for justice, and a continuous erosion of ethical standards.

Below is the full conversation:

BlockBeats: Please introduce yourself briefly, 3D.

3D: My online name is 3D, and my main job is still mining. I entered the crypto space in 2017, but I truly began focusing on DeFi and arbitrage during the DeFi Summer of 2020. I also run a YouTube channel focused on DeFi arbitrage—3D Crypto Channel.

BlockBeats: How much funds are estimated to be lost currently? How is the actual scale of the loss calculated or measured?

3D: The total visible fund size currently is basically the size of the insurance pool—approximately $38 million.

BlockBeats: What proportion of the Chinese user base do you think was affected this time?

3D: I'm not very clear about this. However, the one who spoke out the most and earliest for rights protection this time was indeed me and Yishi. We were the ones leading the charge. The Chinese users were more vocal, although there were some English users as well, but the overall volume was relatively much smaller.

The Time Period After Resupply Was Hacked

BlockBeats: What is the current solution?

3D: Simply put, we directly lost 15.5% of our principal. The community actually hoped they would take action, after all, the total loss this time was about ten million U.S. dollars. One of their team's developers lost about 1.5 million, and they took out about 800,000 from the treasury, implying that in total it was just a little over 20%.

Their attitude was like saying, "Look, we lost money too, so don't pursue it any further." But the question is, why didn't you use this money to communicate with the hacker? For example, "Return the money, and we will use this portion as a white hat reward for you," wouldn't that be a win-win situation? But they didn't do any of that.

BlockBeats: Why did you choose this protocol for mining in the first place?

3D: I joined the Resupply project around early April. At that time, while scrolling through Twitter, I saw a post from someone I have long been following, and later saw that even the Curve official account retweeted it, which caught my attention.

In hindsight, looking at the operational logic of the project, it seemed quite strange. It didn't seem like it was aiming to make money itself, but more like helping Curve to "boost" the usage of crvUSD. Because crvUSD itself doesn't have much practical use, it used a mechanism to forcibly create a use case, and then incentivized everyone to participate.

From our perspective as participants, this whole thing seemed like a big brother trying to artificially boost the platform's data, asking its "little brother" to make an appearance, and indeed Curve gave a certain endorsement, so at that time, we didn't see any issues.

For people like us who mine or arbitrage, when encountering a new project, we always evaluate two key points first: first is the product itself, how does it actually work? Where does the money you earn come from? The second is the background of the project team, known as "on-chain" and "off-chain" information, and thorough research is required for both. In my judgment at that time, the logic of the Resupply product was relatively simple and straightforward.

BlockBeats: Who do you think should be responsible after the incident? What key decisions did the Resupply team make after the incident? Compared to mature DeFi protocol platforms, what are the significant gaps in their response process?

3D: I think their biggest problem in post-incident handling was that they completely lacked crisis response awareness. They didn't even do the most basic things at the very beginning. This is something everyone can find online, and even C0ban pointed out: they neither publicly called out the hacker, nor issued a statement explaining the situation, nor initiated any legal action or accountability mechanisms—there wasn't even an attempt to communicate with the hacker, it was a complete laissez-faire approach.

Other projects at least would issue a statement, pause the contract, contact white hats, attempt to recover funds; these basic operations were not done. They acted as if nothing happened.

We also don't understand why the project team didn't actively communicate with the community. The entire event led to a loss of nearly ten million, with their own team having only contributed around 1.5 million, plus the project treasury offering about 800k, covering only about 20% of the losses. However you look at it, this was merely a symbolic "gesture," a drop in the bucket.

Their attitude was basically, "Look, we lost money too, don't bother us anymore." But the problem is that they could have taken that money and negotiated with the hacker, clearly stating that if they returned the funds, it would be considered a white hat reward, a win-win situation. Yet they completely failed to take such measures.

In the first place, their passivity in recovering the hacker's assets was extreme, to the point of complete inaction. From last Thursday's incident to now, several days have passed, and there has been no substantive progress.

The second point is their extremely arrogant and indifferent attitude towards the community. As soon as the incident occurred, many of us users went to Discord to inquire, but they directly stated that "the insurance pool people will bear the losses," not even providing a basic discussion space. When we questioned their actions, saying that the documentation did not mention that users needed to bear such losses, we were instead mocked, attacked, and even directly banned.

They also said, "You earned a 17% annualized return, so you have to bear the corresponding risk." This logic simply doesn't hold up; we only participated in a 17% annualized strategy, which doesn't mean that we should bear full responsibility for the protocol being hacked.

The feedback from our group is very consistent. It's not the financial loss that is most upsetting, but rather the experience of being humiliated and ostracized in Discord that is more enraging. The core reasons behind the strong reaction to this event are twofold: the inaction of the project team and their disdain for users.

If indeed they cannot afford to compensate fully, they could have clearly stated their position, such as initially providing 3 million, with the remaining 7 million to be shared proportionally among all users, which would have been a better approach than what they are doing now. However, their handling of the situation is to directly shift all the responsibility onto the users of the insurance pool. Their purpose in doing so is clear: they want to maintain the protocol's operation and prevent the project from failing.

What's most ironic is that if you look at their announcement at the time, they hardly mentioned the amount of the loss, only vaguely stating that they encountered a vulnerability, paused one market, and everything else was business as usual. This type of information disclosure is highly irresponsible.

Even more serious is that the hacker exploited the vulnerability to mint 10 million stablecoins at zero cost and dumped them on the market, directly breaking the originally overcollateralized mechanism, rendering the stablecoin no longer adequately backed by assets. In this scenario, the project team still did not pause the protocol, instead allowing users to withdraw their funds at their own discretion.

The result was that those who acted quickly were able to withdraw, while those in the insurance pool were completely locked in because withdrawals have a 7-day delay. To make matters worse, they initiated a new proposal to halt withdrawals from the insurance pool, further freezing user assets. As for their statement that "bad debts should be borne by the insurance pool," there is simply no precedent for this in a DeFi protocol. Once again, they have crossed the industry's bottom line, showing a complete lack of governance rationality.

BlockBeats: So, have there been any projects in the past that used this insurance pool to cover losses?

3D: There has been absolutely no instance of the insurance pool covering bad debts.

Participation in this Resupply project only had three gameplay options: staking, flash loans, and LP formation. In reality, from the users' perspective, those participating in staking are the most risk-averse group in it, yet they are now required to bear all the risk. The core issue lies in users' expectations of the insurance pool. We all believed that it should only bear bad debts caused by market fluctuations.

Regarding the matter of the insurance pool, I made an analogy at the time, which may not be entirely precise, but it was along these lines. It's like if you bought a wealth management product on Binance, and then Binance got hacked. It tells you, "Weren't you here to deposit money? Well, let's all bear the loss together, especially you users who bought the wealth management product." In the end, the losses are only deducted from the funds of the wealth management users, and others are not affected.

In the past, some exchanges were hacked, and the loss was shared proportionally among all users. However, this time was different. They only made yield farmers bear the entire loss. Their logic was: "If you want to reap the benefits of a 2% annual percentage yield, you must take responsibility for it." Some even said, "There's no such thing as a free lunch," implying that if you took a 17% annual percentage yield, you deserve to bear the loss from this hack, which is a ridiculous statement.

What Role Did Curve Play in This Incident?

BlockBeats: You mentioned that you participated in Resupply because of trust in Curve. What do you think is the relationship between Resupply and Curve? Do you think Curve's "cut ties" attitude after the incident is reasonable?

3D: I think this can be viewed from two perspectives. First is the surface logic – this project indeed served Curve, also gaining Curve's endorsement, being a part of the Curve ecosystem.

But on the other hand, anyone with a bit of critical thinking would make a reasonable conjecture: when you look at the protocol's design, it's essentially to serve Curve, in essence, playing the role of a "sidekick." Otherwise, its existence is almost meaningless; its core logic is to subsidize Curve's protocol revenue with its native token.

Doing something altruistic without seeking returns, purely giving blood – unless it's for true love, who would do that? Especially for its token, at that time, I thought this project wouldn't last a month because the overall story wasn't compelling; ultimately, it was just to bring some volume to Curve's stablecoin, with no substantial content.

But later, you see the price actually stabilized and remained stable for a long time. I was thinking, who is supporting this price floor? After much contemplation, the most reasonable explanation is that Curve itself is supporting it. Who benefits from this, who has the most incentive to maintain stability – this is common-sense reasoning; although there is no concrete evidence, as long as your brain is functioning normally, you can probably figure this out.

Resupply native token price trend

Before the incident, Curve was outspoken, saying this was a good project. Now that the incident happened, they immediately distanced themselves, saying, "It's just an ecosystem project, nothing to do with me." This attitude is just like some news we usually see: once something happens, it's blamed on "temporary workers." Now even we users have been banned; you can imagine how serious this matter has become.

If it weren't for Curve's endorsement, Resupply wouldn't have been able to raise so much money in the first place. Our decision to participate was not because of its development team — in fact, this team doesn't have a good reputation. If it were just them working on a project alone, we definitely wouldn't have participated.

What truly led us to participate were two reasons: first, its business model revolves around Curve's stablecoin, which logically means helping Curve grow, creating a sense of relative safety due to this intertwined relationship; and second, Curve's official endorsement of the project at that time, even taking actions to support it.

Regarding your mention of the project team's checkered past, it is indeed true. However, this time they didn't adopt a new identity but continued the project with their original persona, which to some extent can be seen as a form of "real-name" accountability.

BlockBeats: Should Curve bear joint responsibility for Resupply's official promotion and endorsement in this incident? How do you view the conflict of interest between the ecosystem's "post-event distancing" and "pre-event promotion"?

3D: I believe Curve's post-incident "disassociation" behavior is completely unreasonable. Even if I were just a small KOL, if I had previously recommended a mining pool and that pool encountered issues, even if I didn't benefit financially or have any vested interest, I would speak up immediately to inform my followers about the current problems and follow up on the situation.

When the project was running smoothly, Curve actively endorsed it; however, when issues arose, they took on a "not my problem" attitude, expressed a few words of "regret," and then distanced themselves completely. Such behavior is truly difficult to accept.

How to Avoid Pitfalls in Mining?

BlockBeats: What is the biggest challenge for DeFi users seeking recourse?

3D: The core issue lies in the lack of clear rights and responsibilities, compounded by the industry's overall lack of regulation. In this situation, seeking recourse is actually very challenging.

If the user is from the United States, the situation might be slightly better. This is because the U.S. has extraterritorial jurisdiction, allowing for cross-border legal action to hold parties accountable and potentially recover some funds, in addition to being able to report losses to the government. However, for us, there are hardly any such channels available.

BlockBeats: So, what are the current avenues for these affected whales to seek recourse?

3D: No way, who would want to be a clown on the internet?

In the end, we simply don't have any effective channels for protecting our rights. As long as the project team is determined to be irresponsible, users can only rely on voicing their own opinions and organizing actions. This event, for me, although the financial loss was not significant, triggered a strong reaction because I felt it was a form of insult. If all project teams hold this kind of attitude, then this industry simply cannot continue to operate.

To be honest, it's really quite disheartening. Today it may be me who's been scammed, but tomorrow it could be you; as long as you're in this circle, you will always encounter similar situations. As the saying goes, "True heroism is remarkably sober, very undramatic. It is not the urge to surpass all others at whatever cost, but the urge to serve others at whatever cost." This is how we can only view this industry. To solve the problem, on the one hand, it requires the project teams to have a bit of moral bottom line, and on the other hand, the industry also needs some basic self-discipline.

BlockBeats: When a project has just launched or is still in its early phase, what key information do you focus on checking?

3D: When a project has just launched or is still in its early phase, I usually focus on several key aspects.

First is the business model. What exactly is the revenue model of this project? Where does the profit come from? This is the most fundamental but also the most crucial question.

Second is on-chain information, which is the operational mechanism of the protocol itself, such as whether the flow of funds is smooth, whether there are any "sticking points" — for example, whether there are time locks on incoming and outgoing funds or whether high fees are charged. All of these directly affect user experience and risk.

Third is off-chain information. I want to see if the team has done any previous projects, whether they are anonymous, if there is any investment institution support, who is behind it, and whether I can find out some background information.

In addition to this, I will also actively engage with the project team on Discord to see their response attitude and whether the team is reliable. Some people may look at audit reports, but I want to remind you that many projects that have encountered issues have actually undergone audits. At most, an audit can only indicate whether the project team is willing to spend money to go through the process and cannot represent the true security of the project.

BlockBeats: Do you still have confidence in the Curve ecosystem, insurance mechanisms, and stablecoin system?

3D: Curve's current situation is actually quite awkward. Its original niche was mainly to address Uniswap V2's issues with stablecoin trading depth. Because V2's constant product market-making mechanism did not perform well between stablecoins, a lot of funds needed to be stacked to provide liquidity. Curve then proposed a smoother curve design, focusing on stablecoin exchanges. It can be said that it initially stood firm in DeFi by relying on this differentiation, and as a basic infrastructure product, the logic was very clear. But now with Floyd's business pressures, I think it's on a downward trend, though I still have confidence in the stablecoin system.

I've actually been feeling quite anxious recently. Although my personal loss this time wasn't significant, the biggest impact on me was not financial, but rather psychological. I've been in this industry for a while now, not to say that I'm extremely passionate about it, but at least I've been deeply involved. However, now I'm seriously doubting the sustainability of this industry—if all project teams are like this one, then this industry simply can't go on.

Yishi pulled out all the mines, and now plans to just hodl Bitcoin, not touching anything else. Think about it, our 15.5% loss this time is equivalent to wiping out the annualized return from a year of mining. We were originally following a relatively low-risk strategy, not engaging in any high-leverage, get-rich-quick schemes. To earn 15 basis points through hard work in a year, only to lose it all in a day now, who can bear that?