Original Article Title: "Resupply Loses $9.6 Million Due to Vulnerability, Leaves Users Holding the Bag?"
Original Source: 1912212.eth, Foresight News

In recent years, the rapid development of the DeFi space has attracted numerous investors and developers. However, its characteristic of high risk and high return has also frequently led to significant issues, such as the recurring incidents of fund theft through hacker attacks, which have troubled many on-chain yield farmers and arbitrageurs. On June 27, the DeFi protocol Resupply suffered a major security vulnerability that resulted in the theft of $9.6 million, an event that became widely known in the community due to a rights defense action initiated by OneKey founder Yishi Wang.

Yishi, as one of Resupply's key investors, publicly criticized the project team's mistakes and called on relevant parties to take responsibility. His actions sparked widespread discussions within the community, even leading to a heated confrontation with Curve founder Michael Egorov.

Contract Vulnerability Leads to User Funds Being Drained

Resupply, an emerging DeFi protocol, aimed to attract users and investors through innovative liquidity management and yield strategies. DeFi protocols typically utilize smart contracts for the automated management of liquidity pools, allowing users to deposit crypto assets to earn yields. However, the complexity of such protocols and code vulnerabilities often make them targets for hacker attacks. Since its launch, Resupply, with its high yield promises and collaborations with well-known DeFi projects like Curve, Convex, and Yearn, quickly attracted a significant amount of funds and attention, managing assets worth hundreds of millions of dollars before the theft incident.

Yishi Wang, the founder of the crypto wallet company OneKey, is one of the top three investors in Resupply. According to his public statement on X, he personally invested millions of dollars in Resupply, and this attack event not only caused significant financial losses but also brought immense psychological pressure.

According to Yishi's analysis, the root cause of the event was that the Resupply team failed to burn the initial shares when deploying a new vault, leading to an "inflationary minting bug" in the ERC-4626 standard within the smart contract. This bug allowed attackers to mint an unlimited amount of tokens at zero cost, thus draining the assets in the liquidity pool.

Yishi commented, "This is not a black swan event; it is a man-made disaster, a severe negligence at the development level." He pointed out that this vulnerability was not exploited by external hackers using complex technical means but was a low-level mistake in the team's basic code deployment. Such errors are particularly fatal in the DeFi space because the immutability of smart contracts means that once a vulnerability is exploited, the losses are almost irrecoverable.

Silence, Muting, and Attempting to Shift Losses onto Investors

Blockchain hacking incidents are constantly unfolding, with several public blockchains, DeFi projects, and exchanges experiencing heart-stopping moments of being hacked in the past few years. We often see that the official teams tend to make timely statements and immediately call out to the hackers; however, the Resupply team's approach to handling such situations is bewildering. Not only did they remain silent in response to the hacker but they also have "not yet conducted technical tracing/bounty related work."

Yishi revealed that the team did not immediately launch an investigation or report to the authorities but instead tried to shift the losses onto investors through an insurance pool, while simultaneously muting dissenters in the official Discord server. As a major investor, Yishi, after raising legitimate concerns, was unexpectedly muted by the team, an action that left him feeling "shocked and angry."

The latest proposal indicates that the project will absorb the bad debt through the insurance pool

Facing Resupply team's inaction and suppression of dissent, Yishi chose to publicly fight for his rights on Platform X. He published a lengthy article, revealing in detail the causes and consequences of the event, and directly criticized the Resupply team for their misconduct. He emphasized that the design of the insurance pool was meant to deal with unforeseen black swan events, not to cover up the development team's basic mistakes. He questioned: "If user losses from development mistakes can be passed on, then this is essentially robbing the poor to help the rich with fake insurance."

Yishi's advocacy not only targeted the Resupply team but also extended to well-known DeFi protocols collaborating with the project, such as Curve, Convex, and Yearn. He pointed out that these projects, by providing liquidity support and endorsement for Resupply, gained exposure and returns, so they should not remain indifferent after the event. In particular, Curve's stablecoin crvUSD played a significant role in Resupply's liquidity pool. Yishi called on the developers and treasuries of these projects to jointly assume compensation responsibility to offset investors' losses.

According to public information, in recent years, the average annual theft from related protocol projects amounts to $10 million, arousing community suspicion of insider theft.

· In 2021, Yearn Finance was hacked for approximately $11 million due to a smart contract business logic vulnerability, where the attacker exploited the protocol's insufficiently protected liquidity, carried out a flash loan attack, and manipulated the fund pool for arbitrage.

· March 2023: Yearn Finance lost approximately $1.4 million due to the Euler Finance exploit. Yearn Finance had a fund relationship with Euler Finance, resulting in an indirect loss, with Yearn Finance's own contract having no vulnerabilities.

· April 13, 2023: Yearn Finance lost approximately $11.6 million due to an early iearn yUSDT contract misconfiguration, where the contract erroneously pointed to the wrong asset pool (USDC instead of USDT). The attacker exploited this misconfiguration by minting a large amount of yUSDT and then cashing out.

· March 28, 2024: Prisma Finance lost around $10 million due to permission management and business logic vulnerabilities in its contract. The attacker deployed a malicious contract and stole funds through multiple transactions, involving issues with function permissions and contract call flaws.

· June 26, 2025: Convex Finance (Resupply sub-DAO) lost approximately $10 million due to a business logic vulnerability in the Resupply sub-DAO contract. The attacker exploited the contract flaw to illegitimately transfer funds, potentially related to insufficient contract permissions or fund transfer verifications.

In addition, Yishi criticized the communication attitude of the Resupply team. He stated that the team not only lacked transparency but also ridiculed and banned investors who raised objections, which he viewed as a serious betrayal of community trust. He urged Resupply to devise a fair solution to return losses incurred due to technical mistakes to users.

Soon after, Yishi was targeted by anonymous individuals through private message attacks, using discriminatory imitation vocabulary like "ching chong," which sparked widespread discontent in the Chinese-speaking community.

Escalation of Conflict: Confrontation with Curve Founder

Yishi's public advocacy quickly led to a direct conflict with Curve founder Michael Egorov. Prior to this, Curve Finance's official statement on this security incident was, "Although Resupply was not developed by Curve developers, the Resupply creators are highly capable and experienced. We believe they will do their utmost to resolve this issue."

However, the event did not end there.

According to Yishi, Michael allegedly threatened to sue him privately, citing that his statements "defamed Curve's reputation." This news sparked intense community debate on Platform X, with many believing that as Curve's partner, Curve should bear some responsibility for Resupply's actions rather than resorting to legal threats to suppress criticism.

Yishi responded on X, saying, "Michael mentioned suing me for defaming Curve's reputation. What kind of behavior is this? Honest people deserve to be bullied, right?" He stated that despite respecting Michael's efforts to mediate the situation, he will not give up on accountability.

As the situation escalated, some users began associating Yishi's personal rights protection actions with the OneKey brand, even accusing OneKey of "orchestrating a public opinion attack" against Resupply. In response to these accusations, OneKey issued a stern statement on X platform on June 29, clarifying that the company has never been involved in or controlled any public opinion attacks, and Yishi's rights protection actions are part of his personal investment activities and unrelated to OneKey's business.

Summary

The Resupply incident is not only a microcosm of Yishi's personal rights protection but also reflects the many issues the DeFi industry has exposed in its rapid development. Firstly, the security of smart contracts remains a core challenge for DeFi projects. Although Resupply's vulnerability may seem trivial, similar events are not uncommon in the DeFi space. As of 2024, global cryptocurrency losses due to hacking and fraud have exceeded $2.2 billion, underscoring the urgent need to enhance industry security standards.

Secondly, the way the Resupply team handled the situation exposed the shortcomings of DeFi projects in crisis management. Behaviors such as lack of transparency, suppression of dissent, and shifting blame not only damage investor trust but may also have a devastating impact on the project's long-term development. Yishi's rights protection action reminds the community that investors have the right to demand that projects take responsibility for technical errors instead of passing the losses on to users.

The incident also sparked a discussion on partner responsibility in the DeFi ecosystem. Projects like Curve and Convex were embroiled in controversy due to their collaboration with Resupply, highlighting that the interconnectedness of DeFi projects is both an advantage and a risk multiplier. In the future, clarifying the allocation of responsibilities in ecosystem cooperation will be a critical issue that the DeFi industry needs to address.

Original Article Link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia