It has been a week since Resupply was hacked. On June 26th, the DeFi protocol Resupply's stablecoin 'wstUSR market' experienced a security vulnerability, resulting in a loss of approximately 9.6 million dollars worth of crypto assets. 'Those who often walk by the river will inevitably get their shoes wet,' DeFi OG player 3D released a series of rights protection videos on his YouTube channel for three consecutive days. BlockBeats contacted 3D to discuss his experiences as a victim of losses and a series of reflections after this hacking incident.
3D is one of the early users who participated in mining this protocol. His identity is both a mining player and a content creator. In this interview, we heard his doubts, emotions, and some unspoken rules in this industry. He talked about Curve's 'default endorsement', the project party's passive response to the hacker, and also the process of the community being blacklisted and humiliated while fighting for their rights.
Compared to monetary loss, what makes 3D feel disheartened is the shaking of confidence in the industry. He admits that although he didn’t suffer the biggest loss, he is the angriest one — not because of the money, but because of being ignored and humiliated as a user. His experience reflects the common dilemma of countless DeFi participants — unclear rights and responsibilities, lack of channels for rights protection, and repeated erosion of moral bottom lines.
The following is the full content of the conversation:
BlockBeats: Please introduce yourself briefly, 3D.
3D: The name I use online is 3D, and my main work is still mining myself. I entered the circle back in 2017 during the ICO wave, but I really started focusing on DeFi and arbitrage from the DeFi Summer in 2020, and I also operate a YouTube channel focused on DeFi arbitrage — the 3D Crypto Channel.
BlockBeats: Currently, how much capital has been affected? How should the actual scale of losses be estimated or measured?
3D: The total amount of capital that can be seen so far is basically the size of the insurance pool - about 38 million dollars.
BlockBeats: So what proportion of Chinese users is there this time?
3D: I'm not very sure about this. However, the ones who stood up the most during this rights protection and spoke out the earliest were indeed me and Yishi. We essentially took the lead. Chinese users have been more concentrated in voicing their concerns, of course, there are some English users as well, but the overall volume is significantly smaller.
The period after the theft of Resupply
BlockBeats: What is the current solution?
3D: Simply put, our principal directly lost 15.5%. The community actually hopes they take action, as the total loss this time is estimated to be around ten million dollars. One of their developers contributed about 1.5 million, and they took about 800,000 from the treasury, totaling just over 20%.
Their attitude is as if they are saying, 'Look, we lost money too, so stop pursuing us.' But the problem is, why don't you take this money to negotiate with the hacker? For example, 'If you return the money, we will consider this part as a white hat reward,' wouldn't that be a win-win situation? But they did nothing at all.
BlockBeats: Why did you choose to mine with this protocol back then?
3D: I joined the Resupply project around early April. At that time, I saw a long-time follower of mine posting related content on Twitter. Later, I saw that Curve's official account also retweeted it, which caught my attention.
In hindsight, from the project's operational logic, it is quite strange. It seems that it does not want to make money for itself, but rather to help Curve 'increase' the usage of crvUSD. Because crvUSD itself has no practical use, it forcibly created a use case through design mechanisms and then incentivized everyone to participate.
From our perspective as participants, this situation feels like an older brother trying to boost platform data by sending his 'little brother' to hold up the scene, and indeed Curve gave it some endorsement, so we didn't feel there was a problem at that time.
For people like us who engage in mining or arbitrage, when encountering new projects, we will first assess two key points: the first is the product itself, how does it actually operate? Where does the money you earn come from? The second is the background of the project party, meaning both 'on-chain' and 'off-chain' information need to be thoroughly researched. At that time, in my judgment, the logic of the Resupply product was relatively simple and straightforward.
BlockBeats: Who do you think should be responsible after the incident? What key decisions did the Resupply team make after the incident? How do their response processes compare to mature DeFi protocol platforms?
3D: I think their biggest problem in handling the aftermath is that they completely lack crisis awareness. They didn't even do the most basic things at the first moment. This is something everyone can check online, and Cosine has also mentioned: they neither publicly called out the hacker, nor issued announcements explaining the situation, nor initiated any legal or accountability mechanisms — not even an attempt to communicate with the hacker; it was completely laissez-faire.
Other projects at least issue announcements, pause contracts, contact white hats, and attempt to recover funds; none of these basic operations have been done. They acted as if nothing happened.
We also don't understand why the project party does not actively communicate with the community. The whole incident caused losses of nearly ten million, while their own team had a developer who only contributed about 1.5 million; plus the project treasury contributed about 800,000, which together only covers about 20% of the losses. No matter how you look at it, this is just a symbolic gesture, a drop in the bucket.
Their attitude is basically 'Look, we lost money too, so don’t bother us anymore.' But the problem is they clearly could have taken this money to negotiate with the hacker, clarifying that as long as you return the money, this amount would count as a white hat reward, and everyone would be happy. But they took no such measures.
3D's message on the Resupply official forum suggested trying to negotiate with the hacker using a white hat bounty, but he has yet to receive a response.
The first point is that they have been extremely passive, even completely inactive, in pursuing the hacker's assets. Several days have passed since the incident last Thursday, and there has still been no substantial progress.
The second point is their extremely arrogant and indifferent attitude towards the community. Once the incident happened, many of our users immediately went to Discord to inquire, but they directly defined it as 'the people in the insurance pool should bear the losses', leaving no room for basic discussion. We questioned their actions, stating that the documentation did not mention that users had to bear such losses, and as a result, we were mocked, attacked, and even directly banned.
They also said, 'You earned an annual return of 17%, so you have to bear the corresponding risk.' This logic simply doesn't hold; we only participated in a strategy with a 17% annual return, which does not mean we have to bear all the responsibility for the protocol being hacked.
The feedback in our group is very consistent; it's not the loss of money that hurts the most, but the experience of being humiliated and blacklisted in Discord is even more infuriating. The strong reaction to this incident is fundamentally due to two core reasons: the project party's inaction and their contempt for users.
If they really can't afford to pay, they could make a clear statement, like taking out 3 million first, and then letting all users share the remaining 7 million proportionally; that would be better than the current situation. But their handling method is to directly 'pull out' the users in the insurance pool to bear all the responsibility. Their purpose in doing so is also very clear: to preserve the continued operation of the protocol and not let the project die.
The most ironic thing is that looking at the announcement they issued at that time, they hardly mentioned the amount of loss, only vaguely saying that they encountered vulnerabilities and suspended a market, while everything else continued as usual. This way of disclosing information is very irresponsible.
Even more seriously, the hacker minted ten million stablecoins at zero cost through a vulnerability and sold them on the market, directly breaking the originally over-collateralized mechanism, resulting in the stablecoins no longer having enough assets to support them. In this situation, the project party still did not pause the protocol, allowing users to withdraw their investments on their own.
The result is that those users who ran quickly withdrew, and those in the insurance pool were completely locked out due to a 7-day withdrawal delay. Even more absurdly, they initiated a new proposal to suspend withdrawals from the insurance pool, further freezing user assets. As for their claim that 'bad debts should be borne by the insurance pool', this has no precedent in DeFi protocols. They have once again crossed the industry's bottom line, showing no governance rationality at all.
BlockBeats: Have there been any projects in the past that used this insurance pool to bear losses?
3D: The insurance pool does not bear the bad debts at all.
There are only three ways to participate in the Resupply project: staking, cycle lending, and forming LPs. From a user expectation perspective, staking is where the most risk-averse people are, yet now they have to bear all the risks. The core issue lies in users' expectations of the insurance pool; we all believe we should only bear the bad debts caused by market fluctuations.
I likened the insurance pool to something that might not be very accurate, but it's roughly this meaning: it's like you bought a financial product on Binance, and then Binance was hacked, and it tells you, 'Didn't you come to deposit money? Then we all bear the loss together, especially you financial users.' In the end, the losses were solely deducted from the funds of financial users, with no impact on others.
In fact, there have been cases where some exchanges were hacked, and all users shared the losses proportionally, but this time it was not the case. They only allowed financial users to bear all the losses. Their logic is: 'If you want to earn a 2% annual interest, you must bear the responsibility for it.' Some even say 'there's no free lunch in the world,' meaning if you earned a 17% annual return, you deserve to bear the losses from this theft; such reasoning is absurd.
What role did Curve play in this storm?
BlockBeats: You mentioned that you participated in Resupply because you trusted Curve. What kind of relationship do you think exists between Resupply and Curve? Do you think Curve's attitude of 'cutting ties' after the event is reasonable?
3D: I think this can be viewed on two levels. The first is the surface logic — this project is indeed serving Curve and is endorsed by Curve; it is also a project within the Curve ecosystem.
On the other hand, anyone with normal judgment would make a reasonable inference: looking at the design of this protocol, it is basically meant to provide services for Curve; in plain terms, it is a 'little brother' role. Otherwise, its existence is almost meaningless; its core logic is to use its own mining tokens to subsidize the protocol income of Curve.
You mention doing something selfless and purely supporting without expecting anything in return; unless it's true love, who would do that? Especially with its token, at that time I thought this project wouldn't last a month, because the overall story has no appeal. Ultimately, it was just to bring some new volume to Curve's stablecoin, without any substantial content.
But later, as you can see, the price actually stabilized and remained stable for a long time. I was wondering, who is propping this up? After thinking it over, the most reasonable explanation is that Curve itself is propping it up. Who benefits from it and who has the most motivation to stabilize the situation — this is common sense reasoning; although there is no solid evidence, anyone with a normal brain can probably think of this.
The price trend of Resupply's native token
Before the incident, Curve boldly claimed that this was a good project. Now that something has happened, they immediately distanced themselves, saying 'it's just an ecological project, has nothing to do with me.' This attitude is just like some news we often see: once something goes wrong, it's 'the temp workers' fault.' Now even we users have been banned; how serious has this situation become?
Without Curve's endorsement, Resupply could not have raised so much money. The reason we participated was not because of its development team — in fact, this team's reputation is not good. If they were just doing a project on their own, we definitely wouldn't have participated.
There are two real reasons that made us choose to participate: first, its business model revolves around Curve's stablecoin, which logically is helping Curve grow, making this binding relationship feel relatively safe; second, Curve's official acknowledgment of this project at that time, even endorsing it.
As for what you said about the project party having a bad history, it is indeed the case, but this time they did not change their name; instead, they continued to operate the project under their original identity, which to some extent can be considered a form of 'real-name' responsibility.
BlockBeats: Should Curve's official promotion and endorsement of Resupply bear joint responsibility in this incident? How do you view the conflict of interest between the ecological party's 'cutting ties' after the event and 'promoting beforehand'?
3D: I think Curve's 'cutting ties' behavior after the incident is completely unreasonable. Even if I am just a small KOL, if I have ever recommended a certain mining pool, even if I have not received a penny and have no interest relationship, if that mining pool has an issue, I would immediately speak out to tell those who follow me what the problem is and I would follow up.
When the Curve project was running normally at first, it actively endorsed it, but when the project had problems, it took on an attitude of 'it has nothing to do with me', just saying a few words of 'regret' and then completely distancing itself. This behavior is really hard to accept.
How to avoid pitfalls in mining?
BlockBeats: What is the biggest difficulty for current DeFi users in protecting their rights?
3D: The core of the problem lies in the unclear rights and responsibilities, coupled with the overall lack of regulation in the industry. In this case, protecting rights is actually very difficult.
If it's a US user, the situation might be slightly better. Because the US has extraterritorial jurisdiction, it can pursue accountability across borders through legal means, and it is even possible to recover some funds, and report losses to the government. But for us, there are basically no such channels.
BlockBeats: So what rights protection methods do these affected large holders currently have?
3D: No, otherwise who would want to be a clown on the internet?
After all, we really have no effective channels for rights protection. As long as the project party is determined to be irresponsible, users can only rely on themselves to voice their concerns and organize actions. For me, although the economic loss is not large, I reacted particularly strongly because I feel it is an insult. If all project parties adopt this attitude, then this industry simply cannot continue.
To be honest, this is really chilling. Today it's me who got scammed; tomorrow it might be you. As long as you're still in this circle, you will always encounter similar things. As the old saying goes: 'True heroism is choosing to love after seeing the truth.' We can only view this industry like this. Solving the problem relies on the project party having some moral bottom line, and it also requires the industry to have basic self-discipline.
BlockBeats: When the project just launched or is still in the promotional phase, what information do you prioritize checking?
3D: When a project just launches or is still in the promotional phase, I usually focus on several aspects.
The first is the business model. How does this project make money? Where does the profit come from? This is the most basic yet crucial question.
The second is on-chain information, which refers to the operation mechanism of the protocol itself, such as whether the inflow and outflow of funds are smooth, whether there are any 'bottlenecks' — for example, are there time locks for entering or exiting funds, or are high fees charged? These all directly relate to user experience and risk.
The third is off-chain information. I want to see if this team has done projects before, whether they are anonymous, whether they have institutional support, who is behind them, and whether I can find out some background information.
In addition, I would also actively go to the project party's Discord to chat, to see their response attitude and whether the team is reliable. Some people look at the audit reports, but I want to remind you: many of the projects that have gone wrong actually had audits done. An audit can at most show whether the project party is willing to spend money to go through the process, it does not mean the project is really safe.
BlockBeats: Do you still have confidence in the Curve ecosystem, insurance mechanism, and stablecoin system?
3D: Curve's current situation is actually quite awkward. Its initial ecological position was mainly to solve the problem of liquidity depth in stablecoin trading on Uniswap V2. Because V2's constant product market-making mechanism performed poorly between stablecoins, it required a lot of funds to create depth. Curve proposed a smoother curve design at that time, focusing on stablecoin exchanges. You could say it established itself in DeFi based on this differentiation, as a basic infrastructure product, with a clear logic. But now, facing business pressure from Floyd, I feel it is on a downward slope, yet I still have confidence in the stablecoin system.
Recently, I have been particularly anxious. Although my personal losses this time are not substantial, the biggest blow to me is not the money, but the loss of confidence. I have been in this industry; I can't say I love it, but at least I have been invested for a long time. But now, I am starting to seriously doubt the sustainability of this industry — if all project parties act like this time, then the industry simply cannot continue.
Yishi withdrew all his mining assets; now he only plans to hold Bitcoin and won't touch anything else. You can imagine that our 15.5% loss is equivalent to wiping out a year's worth of annual mining returns. We were originally engaged in relatively low-risk strategies, not high-leverage schemes that earn dozens of times daily. Earning 15 points over a year, now it's gone in a day; who can bear that?