Resupply Suffers $9.6 Million Theft Due to Vulnerability, Yet Users Are Expected to Pay?

Written by: 1912212.eth, Foresight News

In recent years, the rapid development of the DeFi sector has attracted countless investors and developers, but its characteristic of high risk and high return has also frequently caused significant problems, such as the recurring hacker attacks that steal funds, which have troubled many on-chain wealth management and arbitrage traders. On June 27, the DeFi protocol Resupply suffered a major security vulnerability that led to the theft of 9.6 million dollars. This incident became widely known in the community due to the advocacy actions initiated by OneKey founder Yishi Wang.

As one of the main investors in Resupply, Yishi publicly criticized the party's mistakes and called for accountability from relevant parties. His actions sparked widespread discussion within the community, even leading to fierce confrontations with Curve founder Michael Egorov.

Contract vulnerabilities have led to users' funds being completely drained.

Resupply is an emerging DeFi protocol aimed at attracting users and investors through innovative liquidity management and yield strategies. DeFi protocols typically automate fund pool management through smart contracts, allowing users to deposit crypto assets to earn returns. However, the complexity of such protocols and code vulnerabilities often make them targets for hacker attacks. Since its launch, Resupply has quickly attracted significant funds and attention, managing hundreds of millions in assets before the theft incident due to its high yield promises and collaborations with well-known DeFi projects like Curve, Convex, and Yearn.

Yishi Wang, the founder of the crypto wallet company OneKey, is one of the top three investors in Resupply. According to his public statement on X, he personally invested millions of dollars into Resupply. This attack not only caused significant economic losses but also brought immense psychological pressure.

According to Yishi's analysis, the root cause of the incident was that the Resupply team failed to destroy the initial shares when deploying the new vault, leading to the emergence of an "inflationary minting vulnerability" in the ERC-4626 standard within the smart contract. This vulnerability allowed attackers to mint unlimited tokens at zero cost, resulting in the complete draining of assets from the fund pool.

Yishi commented: "This is not a black swan event; it is human error, a serious negligence at the development level." He pointed out that this vulnerability was not exploited by external hackers using complex technical means, but rather by the team's basic coding deployment errors. Such mistakes are particularly fatal in the DeFi sector because the immutability of smart contracts means that once a vulnerability is exploited, losses are almost irreversible.

Silence, censorship, and attempts to make investors bear losses.

Hacker attacks on blockchain are constantly occurring. In the past few years, multiple public chains, DeFi projects, and exchanges have experienced terrifying moments of being hacked. We find that their official teams often respond promptly and communicate with the hackers; however, the Resupply team's handling of the situation is baffling. Not only did they remain silent in the face of the hacker attacks, but they also "have yet to conduct technical tracing / white hat bounty work until now."

Yishi revealed that the team did not promptly investigate or report the incident but tried to make investors bear the losses through the insurance pool, while blocking the speech of questioners on the official Discord server. As a major investor, Yishi felt "shocked and angry" when he was unexpectedly silenced after raising reasonable questions.

The latest proposal indicates that the project party will use the insurance pool to cover bad debts.

Faced with the Resupply team's inaction and attitude of suppressing dissent, Yishi chose to publicly advocate for his rights on the X platform. He published a lengthy article detailing the ins and outs of the incident and specifically criticized the Resupply team's negligence. He emphasized that the design of the insurance pool is to address unpredictable black swan events, not to compensate for the development team's basic mistakes. He questioned, "If development errors can be borne by users, then this is essentially a false insurance that robs the rich to give to the poor."

Yishi's advocacy actions not only targeted the Resupply team but also extended to well-known DeFi protocols like Curve, Convex, and Yearn that collaborated with the project. He pointed out that these projects gained exposure and profits by providing liquidity support and endorsement to Resupply, so they should not remain aloof after the incident. In particular, Curve's stablecoin crvUSD played an important role in Resupply's fund pool. Yishi called on the developers and treasuries of these projects to share the compensation responsibility to make up for investors' losses.

Public information shows that in recent years, related protocol projects have been stolen an average of 10 million dollars per year, which has also raised suspicions in the community about self-theft.

• In 2021, Yearn Finance lost approximately $11 million due to a logic flaw in the contract, where an attacker exploited the liquidity inadequately protected by the protocol to conduct a flash loan attack, manipulating the fund pool to achieve arbitrage.

• In March 2023, Yearn Finance lost approximately $1.4 million due to the impact of Euler Finance being hacked. Yearn Finance had a financial connection with it, leading to indirect losses, while its own contract had no vulnerabilities.

• On April 13, 2023, Yearn Finance lost approximately $11.6 million due to an early iearn yUSDT contract configuration error, where the contract pointed to the wrong asset pool (USDC instead of USDT). The attacker exploited this configuration flaw to mint a massive amount of yUSDT and then cash out.

• On March 28, 2024, Prisma Finance lost approximately $10 million due to permission management and business logic vulnerabilities in the contract. The attacker deployed a malicious contract and stole funds through multiple operations, involving function permission issues and contract invocation defects.

• On June 26, 2025, Convex Finance (Resupply sub-DAO) lost approximately $10 million due to business logic vulnerabilities in the Resupply sub-DAO contract. The attacker exploited the contract defects to illegally transfer funds, specifically due to insufficient contract permissions or fund flow verification.

Additionally, Yishi criticized the Resupply team's communication attitude. He stated that the team not only lacked transparency but even ridiculed and banned investors who raised objections, which is a serious betrayal of community trust. He called on Resupply to devise a fair solution to return losses caused by technical errors to users.

Soon, Yishi was attacked by anonymous individuals through private messages, posting discriminatory mimicking phrases like 'ching chong,' which sparked widespread dissatisfaction in the Chinese-speaking community.

Escalating conflict: Confrontation with the founder of Curve.

Yishi's public advocacy quickly led to a direct confrontation with Curve founder Michael Egorov. Previously, Curve Finance's official statement on this security incident said, "Although Resupply was not developed by Curve developers, the creators of Resupply are capable and experienced, and we believe they will do their utmost to resolve this issue."

However, the incident did not end there.

According to Yishi, Michael privately stated he would sue him, claiming that his remarks "smeared Curve's reputation." This news sparked fierce debate in the community on the X platform, with many believing that Curve, as a partner of Resupply, should bear part of the responsibility rather than suppress criticism through legal threats.

Yishi responded on X: "Michael said he would sue me for defaming Curve's reputation. What kind of behavior is this? Honest people are meant to be bullied, right?" He stated that although he respects Michael's efforts to mediate the incident, he would not give up on seeking accountability.

As the incident developed, some users began to associate Yishi's personal advocacy with the OneKey brand, even accusing OneKey of "organizing a public opinion attack" on Resupply. In response to these accusations, OneKey released a stern statement on June 29 on the X platform, clarifying that the company has never participated in or manipulated any public opinion attack, and that Yishi's advocacy actions are his personal investment actions unrelated to OneKey's business.

Summary

The Resupply incident is not only a microcosm of Yishi's personal advocacy but also reflects many problems exposed in the rapidly developing DeFi industry. Firstly, the security of smart contracts remains the core challenge for DeFi projects. Although Resupply's vulnerability seems elementary, similar incidents are not uncommon in the DeFi sector. In 2024, global losses in cryptocurrency due to hacking and fraud exceeded $2.2 billion, highlighting the urgent need to improve industry security standards.

Secondly, the Resupply team's handling of the situation exposed the inadequacies of DeFi projects in crisis management. Lack of transparency, suppressing dissent, and shirking responsibility not only damage investors' trust but may also cause devastating blows to the project's long-term development. Yishi's advocacy actions remind the community that investors have the right to demand project parties take responsibility for technical errors, rather than passing losses on to users.

The incident also sparked discussions about partner responsibilities within the DeFi ecosystem. Projects like Curve and Convex were drawn into controversy due to their collaboration with Resupply, indicating that the interconnectedness of DeFi projects is both an advantage and a potential amplifier of risks. In the future, how to clarify responsibility distribution in ecological cooperation will be an important issue that the DeFi industry needs to address.