Recently, security incidents in the DeFi space have been frequent. Following a project on the Sui chain being hacked for 200 million USD, the Curve ecosystem's Resupply project suffered a loss of 9.5 million USD due to vulnerabilities. Compared to 200 million USD, 9.5 million USD seems 'smaller', but when it falls on specific individuals, it is a disaster. As one of the three major investors in Resupply, victim representative Yi Shi expressed anger and demands, revealing deep-rooted issues of DeFi vulnerabilities and the project's improper response.

Event Background and Investor Position

Resupply attracted investors, including Yi Shi, to invest millions of dollars due to its backing from well-known teams like Curve, Convex, and Yearn. However, the project was exploited by hackers due to the ERC4626 inflation vulnerability, leading to serious losses. Even more disappointing is that the team did not respond actively but shifted the losses onto depositors in the insurance pool and suppressed dissent on Discord. Yi Shi summarized the following core demands:

Trust Endorsement: Investors invested large amounts due to the credibility of teams like Curve. Without these endorsements, few would participate. The team's actions to distance themselves from investors are infuriating.

Technical Error: The loss stemmed from the team's failure to destroy initial shares when deploying a new vault, allowing attackers to mint infinite shares at near-zero cost, depleting assets. This is a protocol-level oversight, not market volatility.

Inappropriate Response: The team did not prioritize investigating the vulnerability or protecting user funds, but instead suppressed dissent, mocked victims, and showed a lack of accountability.

Misuse of Insurance Pool: The insurance pool should cover black swan events or market risks, not development errors. Using user funds as a backup for mistakes is unacceptable.

Lack of Transparency: There is no precedent in DeFi indicating that the insurance pool should bear losses due to protocol errors. The Resupply documentation did not clearly state this, yet the team distorted the facts.

Responsibility Attribution: Curve and crvUSD benefited from Resupply, the vulnerability is a design flaw, and responsibility lies with the team.

Individual Responsibility: c2 personally contributed 1.5 million USD to show character, but the burden should not fall on one person; Convex or Yearn should contribute.

Mediation Acknowledgment: Respect for Michael's mediation efforts for Curve, but do not support covering up issues.

Fair Demand: The team should return losses caused by errors and take appropriate action.

Curve's Response

Curve expressed concern over the incident, emphasizing that multiple independent ecological projects have enhanced its decentralization and resilience. Resupply has facilitated the adoption of the crvUSD stablecoin and the LlamaLend lending protocol. During the incident, the Curve pool and lending market performed normally, and crvUSD did not deviate from its peg. Curve plans to optimize the process for integrating safety code written by integrators and believes that the Resupply team will do their best to resolve the issue, prioritizing the recovery of insurance pool funds to minimize impact.

Attack Technical Analysis

ResupplyPair allows users to stake assets for loans, the isSolvent modifier (line 282) checks borrowing eligibility, relying on _exchangeRate to calculate LTV. If _exchangeRate is 0, the check always holds. Hackers manipulated the oracle's getPrices function to inflate the price of staked assets, causing _exchangeRate to drop to zero. getPrices calls the vault's convertToAssets, whose result is determined by total_assets and is related to the borrowed_token (crvUSD) in the controller contract. The hacker used an empty vault to transfer borrowed_token to the controller, inflating total_assets, allowing them to borrow 10 million reUSD at a very low cost, resulting in a loss of 9.5 million USD.

Conclusion

The Resupply incident exposed the vulnerabilities in DeFi contract design and initialization. The team's mistakes and inappropriate responses exacerbated investor losses. Although Curve expressed support, responsibility allocation and fund recovery still need clarification. DeFi must strengthen contract auditing and transparency, and investors should be more cautious in assessing risks. The Resupply team should quickly fix the vulnerabilities, return user funds, and rebuild trust.

Nangong's Comments: The on-chain gold rush yields substantial returns, but it remains fraught with dangers. The fully on-chain world we hoped for may not arrive so quickly. Currently, on-chain, fragile brands, fragile code, and fragile teams cannot support such a large market value or asset management scale.