A week has passed since the Resupply hack on June 26, when the DeFi protocol Resupply's stablecoin "wstUSR market" experienced a security vulnerability, resulting in a loss of approximately $9.6 million in crypto assets. "Walking by the river, how can one not get their shoes wet?" DeFi OG player 3D has released a series of videos on his YouTube channel over three consecutive days to advocate for rights. BlockBeats reached out to 3D to discuss his experiences as a victim of the hack and his reflections on the incident.

3D is one of the early users involved in mining this protocol, identifying himself as both a mining player and a content creator. In this interview, we heard his doubts, emotions, and some unspoken rules in the industry. He talked about Curve's "default endorsement," the project's passive response to hackers, and the process of being blacklisted and humiliated by the community while advocating for rights.

Compared to the financial loss, what saddened 3D the most was the erosion of confidence in the industry. He admitted that although he did not suffer the heaviest losses, he was the angriest— not because of money, but because of being ignored and humiliated as a user. His experience reflects the common plight of countless DeFi participants— unclear responsibilities, no avenues for rights protection, and a repeated retreat of moral bottom lines.

The following is the full content of the conversation:

BlockBeats: Please introduce yourself briefly.

3D: My online name is 3D, and my main work is still mining. I entered the space back in the 2017 ICO wave, but I really started focusing on DeFi and arbitrage from the DeFi Summer in 2020. I also run a YouTube channel focused on DeFi arbitrage— the 3D Crypto Channel.

BlockBeats: How much capital has been affected? How should the actual scale of losses be estimated or measured?

3D: The total scale of visible funds is basically the size of the insurance pool— about $38 million.

BlockBeats: What proportion of Chinese users is involved this time?

3D: I'm not very clear on that. However, the loudest and earliest voices advocating for rights have indeed been from me and Yishi; we were essentially leading the charge. The Chinese users have been more concentrated in their voices, while there are some English users, but overall, their volume is much smaller.

Time After Resupply Hack

BlockBeats: What is the current solution?

3D: Simply put, we directly lost 15.5% of our principal. The community really hopes they will take action, as the total loss this time is about $10 million. One of their developers contributed about $1.5 million, and they took about $800,000 from the treasury, which is just over 20% in total.

Their attitude seems to be saying, "Look, we lost money too, so stop pursuing us." But the question is, why don't you use this money to communicate with the hacker? For example, "If you return the money, we can give you this part as a white hat reward," wouldn't that be a win-win? But they did nothing of the sort.

BlockBeats: Why did you choose to mine this protocol initially?

3D: I got involved with the Resupply project around early April. I saw a long-time follower of mine post related content on Twitter, and then I noticed that Curve's official account also retweeted it, which caught my attention.

In hindsight, the operational logic of the project seemed quite strange; it didn't appear to be aimed at making money for itself but rather seemed to be helping Curve "boost" the usage of crvUSD. Because crvUSD itself has no real use, they created a use case through design mechanisms and incentivized participation.

From our perspective as participants, it felt like an older brother trying to boost platform data by having his "younger brothers" support the scene, and Curve did indeed provide some endorsement, so we didn't see any issues at the time.

For those of us involved in mining or arbitrage, we always evaluate two key points when encountering new projects: First, how does the product itself operate? Where does the money you earn come from? Second, the background of the project team, meaning we need to research both "on-chain" and "off-chain" information. In my judgment at the time, the logic of the Resupply product was relatively simple and straightforward.

BlockBeats: Who do you think should be responsible after the incident? What key decisions did the Resupply team make after the event? How do their response processes compare to mature DeFi protocol platforms?

3D: I think their biggest problem in handling the aftermath is that they completely lacked crisis response awareness. They didn't even do the most basic things at the first moment. This is something anyone can check online; even Yuxian mentioned it: they neither publicly addressed the hacker nor issued an announcement explaining the situation, nor did they initiate any legal or accountability mechanisms— they didn't even attempt to communicate with the hacker, completely neglecting the situation.

Other projects at least issue announcements, pause contracts, contact white hats, and attempt to recover funds; they didn't do any of these basic operations. They acted as if nothing had happened.

We also find it hard to understand why the project team did not actively communicate with the community. The entire incident led to losses close to $10 million, while one of their developers only contributed about $1.5 million, and the project treasury provided about $800,000, covering only about 20% of the losses. This seems merely symbolic, a "gesture."

Their attitude is basically, "Look, we lost money too, so don't bother us anymore." But the problem is they could have taken that money to negotiate with the hacker, clarifying that as long as the money is returned, it could be considered a white hat reward, and everyone would be happy. But they completely failed to take such measures.

3D's comment on the Resupply official forum, suggesting trying to negotiate with the hacker using a white hat reward, but has not received a response.

The first point is that they have been extremely passive in pursuing the hacker's assets, even completely inactive. Several days have passed since the incident last Thursday, and there is still no substantial progress.

The second point is their attitude towards the community is extremely arrogant and indifferent. When the incident broke, many of us users immediately went to Discord to inquire, but they directly stated that "the insurance pool users should bear the losses," leaving no room for basic discussion. When we questioned their approach, saying that the documentation did not state that users needed to bear such losses, we were met with ridicule, attacks, and even direct bans.

They also said, "You earned a 17% annual yield, so you must bear the corresponding risks." This logic is fundamentally flawed; we merely participated in a strategy with a 17% annual yield, which does not mean we should be fully responsible for the protocol being hacked.

The feedback in our group was unanimous: it wasn't the financial loss that hurt the most, but the experience of being humiliated and blacklisted in Discord that was more infuriating. The strong reaction to this incident stems from two core reasons: the project's inaction and their contempt for users.

If they truly cannot afford the losses, they could clarify their stance, for example, by initially offering $3 million and letting the remaining $7 million be shared proportionally among all users, which would be better than the current situation. But their handling method was to directly "pull out" the insurance pool users to bear all the responsibility. Their clear intention was to preserve the continued operation of the protocol and prevent the project from dying.

The most ironic part is that in their announcement at the time, they barely mentioned the amount of loss, only vaguely stating that they encountered a vulnerability and paused one market, while everything else continued as usual. This manner of information disclosure is extremely irresponsible.

More seriously, the hacker exploited the vulnerability to mint $10 million in stablecoins at zero cost and sell them on the market, directly breaking the originally over-collateralized mechanism, leaving the stablecoins without sufficient assets to back them. In this situation, the project team still did not pause the protocol, allowing users to withdraw their funds.

The result was that those who acted quickly withdrew, while the insurance pool users were completely locked out due to a 7-day withdrawal delay. Even more absurdly, they initiated a new proposal to suspend withdrawals from the insurance pool, further freezing user assets. As for their claim that "bad debts should be borne by the insurance pool," there is no precedent for this in DeFi protocols. They have once again crossed the industry's bottom line, showing no governance rationality whatsoever.

BlockBeats: Have there been any previous projects where the insurance pool bore the losses?

3D: There has never been a case where the insurance pool bore the bad debts.

There are only three ways to participate in the Resupply project: staking, looping loans, and forming LPs. From the user's expectations, staking is the group seeking stability, yet now they are expected to bear all the risks. The core issue lies in users' expectations of the insurance pool; we all believed we would only bear losses caused by market fluctuations.

I made an analogy about the insurance pool at the time, which might not be very precise, but it conveys the idea: it's like you bought a financial product on Binance, and then Binance got hacked, and they tell you, "Aren't you here to deposit money? Then let's share the losses together, especially you users who bought the financial products." In the end, the losses would only be deducted from the funds of the financial product users, while others would not be affected.

In fact, in some previous exchange hacks, all users shared the losses proportionally, but this time it was different. They only made the financial product users bear all the losses. Their logic is: "If you want to earn a 2% annual interest, you must take responsibility for it." Some even said, "There is no free lunch in the world," implying that if you earned a 17% annual yield, you deserve to bear the losses from this hack, which is an outrageous statement.

What Role Did Curve Play in This Incident?

BlockBeats: You mentioned that you participated in Resupply because you trusted Curve. What do you think is the relationship between Resupply and Curve? Do you think Curve's "cut-off" attitude after the incident is reasonable?

3D: I think this can be viewed from two levels. The first is the surface logic— this project indeed serves Curve and is endorsed by Curve; it is also a project within the Curve ecosystem.

On the other hand, anyone with a bit of judgment would make a reasonable inference: the design of this protocol is basically to provide services for Curve, in other words, it plays the role of a "younger brother." Otherwise, its existence is almost meaningless; its core logic is to use its own mining tokens to subsidize Curve's protocol revenue.

You might say that such selfless, purely blood-transfusing actions, unless out of true love, who would do it? Especially considering its token, I thought at the time that this project wouldn't last a month because the overall story was not attractive; it was essentially just to bring some new volume to Curve's stablecoin, with no substantial content.

But then you see, the price actually stabilized and remained stable for a long time. I was thinking, who is propping this up? After much thought, the most reasonable explanation is that Curve itself is supporting it. Who benefits from this, and who has the most motivation to stabilize the situation— this is common sense reasoning. Although there is no solid evidence, anyone with a normal mind could probably think of this.

Price trend of Resupply's native token

Before the incident, Curve publicly stated that this was a good project, but now that something has happened, they immediately distanced themselves, saying, "It's just an ecological project, unrelated to me." This attitude is just like what we see in some news: once something goes wrong, it's "the temp worker's fault." Now even we users have been banned; you can see how serious this situation has become.

Without Curve's endorsement, Resupply would not have been able to raise so much money. The reason we participated was not because of its development team— in fact, this team's reputation is not good. If they were just doing a project on their own, we definitely wouldn't have participated.

The real reasons that led us to choose to participate are twofold: first, its business model revolves around Curve's stablecoin, which logically means helping Curve grow. This binding relationship feels relatively safe; second, Curve's official acknowledgment of this project at the time, even taking actions to endorse it.

As for the project's dark history, it is indeed there, but this time they did not change their name; instead, they continued to operate under their original identity, which in a way can be seen as a form of "real-name" accountability.

BlockBeats: Should Curve's official promotion and endorsement of Resupply bear joint responsibility in this incident? How do you view the conflict of interest between the ecological party's "post-incident distancing" and "pre-incident promotion"?

3D: I think Curve's "cut-off" behavior after the incident is completely unreasonable. You see, even if I am just a small KOL, if I have ever recommended a mining pool, even if I haven't received a penny and have no vested interest, if that mining pool encounters problems, I would immediately speak up to inform my followers about the issues and follow up.

Curve was actively endorsing the project when it was running normally, but when problems arose, they took an attitude of "it's none of my business," saying a few words of "regret," and then completely distanced themselves. Such behavior is really hard to accept.

How to Avoid Pitfalls in Mining?

BlockBeats: What is the biggest difficulty for DeFi users in protecting their rights currently?

3D: The core issue lies in unclear rights and responsibilities, coupled with the lack of regulation in the entire industry. In this situation, protecting rights is actually very difficult.

If it were American users, the situation might be slightly better. Because the U.S. has long-arm jurisdiction, they can pursue accountability across borders through legal means, and it might even be possible to recover some funds and report losses to the government. But for us, there are basically no such channels.

BlockBeats: What rights protection methods do these affected large holders currently have?

3D: None, otherwise who would want to be a clown on the internet?

Ultimately, we have no effective channels for rights protection. As long as the project team is determined not to take responsibility, users can only rely on themselves to speak out and organize actions. For me, although the economic loss this time is not large, my reaction is particularly strong because I feel it is an insult. If all project teams hold this attitude, then this industry cannot continue to operate.

To be honest, this is really disheartening. Today it's me being scammed, tomorrow it could be you. As long as you are still in this circle, you will always encounter similar situations. As the old saying goes: "True heroism is choosing to love after seeing the truth." We can only view this industry in this way. Solving the problem requires, on one hand, that project teams have some moral bottom line, and on the other hand, that the industry has basic self-discipline.

BlockBeats: When a project is just launched or still in the promotional phase, what information do you focus on verifying?

3D: When a project is just launched or still in the promotional phase, I usually focus on several aspects.

First is the business model. How does this project make money? Where does the profit come from? This is the most basic but also the most critical question.

Second is the on-chain information, which refers to the operational mechanism of the protocol itself, such as whether the inflow and outflow of funds are smooth, and whether there are any "bottlenecks"— for example, are there time locks on fund entry and exit, or are there high fees? These directly relate to user experience and risk.

Third is the off-chain information. I want to see if this team has done projects before, whether they are anonymous, whether there are supporting investment institutions, who is behind it, and whether I can find out some background information.

In addition, I will also actively chat in the project's Discord to see their response attitude and whether the team is reliable. Some people will look at audit reports, but I want to remind you: many projects that have encountered problems have also undergone audits. An audit can at most indicate whether the project team is willing to spend money to go through the process; it does not represent that the project is truly safe.

BlockBeats: Do you still have confidence in the Curve ecosystem, insurance mechanisms, and stablecoin systems?

3D: Curve's current situation is actually quite awkward. Its initial ecological position was mainly to solve the problem of liquidity depth in stablecoin trading on Uniswap V2. Because V2's constant product market-making mechanism performs poorly between stablecoins, a lot of capital is needed to create depth. Curve proposed a smoother curve design at that time, focusing on stablecoin exchanges. You could say it initially established itself in DeFi through this differentiation, and as an infrastructure product, the logic is very clear. But now, with the business pressure from Floyd, I feel it is on a downward slope, although I still have confidence in the stablecoin system.

I have actually been particularly anxious lately. Although my personal loss this time is not large, the biggest blow to me is not the money, but the confidence. I have been in this industry for a long time; I can't say I love it, but at least I have been invested for a long time. But now, I am starting to seriously doubt the sustainability of this industry— if all project teams behave like this, then this industry cannot continue.

Yishi has withdrawn all his mining, and now he only plans to hoard Bitcoin, not touching anything else. You see, our 15.5% loss this time is equivalent to a year's worth of mining annual yield going to zero. We were originally pursuing a relatively low-risk strategy, not some high-leverage, daily profit-making scheme. After a year of hard work earning 15 points, now it's all gone in a day; who can bear that?

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。