Resupply lost 9.6 million dollars due to a vulnerability, and yet users have to foot the bill?

Yishi starts the Resupply: This is not a Black Swan Event, it is a man-made disaster, a serious negligence at the development level.

Written by: 1912212.eth, Foresight News

In recent years, the rapid development of the DeFi sector has attracted countless investors and developers, but its characteristics of high risk and high return have also frequently caused significant problems, such as the recurring incidents of hacker attacks stealing funds, which have troubled many on-chain financial management and arbitrage participants. On June 27, the DeFi protocol Resupply suffered a major security vulnerability that led to the theft of 9.6 million dollars, and this incident became widely known in the community due to the advocacy actions initiated by OneKey founder Yishi Wang.

Yishi, as one of the main investors of Resupply, publicly criticized the project's mistakes and called for relevant parties to take responsibility. His actions sparked widespread discussion within the community and even led to a heated confrontation with Curve founder Michael Egorov.

Contract vulnerability leads to users' funds being completely drained

Resupply is an emerging DeFi protocol aimed at attracting users and investors through innovative liquidity management and yield strategies. DeFi protocols typically implement automated management of liquidity pools via smart contracts, allowing users to deposit crypto assets to earn yields. However, the complexity of such protocols and code vulnerabilities often become targets for hacker attacks. Since its launch, Resupply has quickly attracted significant funds and attention with its high yield promises and collaborations with well-known DeFi projects such as Curve, Convex, and Yearn, managing hundreds of millions of dollars in assets before the theft incident occurred.

Wang Yishi, the founder of the cryptocurrency wallet company OneKey, is one of the top three investors in Resupply. According to his public statement on X, he personally invested several million dollars into Resupply. This attack not only caused significant financial losses but also brought enormous psychological pressure.

According to Yishi's analysis, the root cause of the event was the Resupply team's failure to destroy the initial shares when deploying the new funding pool (vault), which led to an "inflationary minting vulnerability" in the ERC-4626 standard of the smart contract. This vulnerability allowed attackers to mint unlimited tokens at zero cost, thereby emptying the assets in the funding pool.

Yishi commented: "This is not a Black Swan Event, it is a man-made disaster, a serious negligence at the development level." He pointed out that this vulnerability was not exploited by external hackers using complex technical means, but rather a basic error in the team's code deployment. Such mistakes are particularly deadly in the DeFi space, as the immutability of smart contracts means that once a vulnerability is exploited, the losses are nearly irreparable.

Silence, gagging, and trying to make investors bear the losses

Blockchain hacking incidents are constantly happening all the time. Over the past few years, multiple public chains, DeFi projects, and exchanges have experienced terrifying moments of being attacked by hackers. We often find that their official teams tend to respond promptly and reach out to the hackers immediately. However, the handling approach of the Resupply team is quite baffling. Not only do they remain silent in response to the hackers, but they have also "not yet conducted any technical tracing / white hat bounty-related work up to now."

Yishi revealed that the team did not immediately launch an investigation or report to the police, but instead tried to make investors bear the losses through the insurance pool, while also blocking the voices of skeptics in the official Discord server. As a major investor, Yishi felt "shocked and angry" after raising reasonable doubts, as the team unexpectedly muted him.

The latest proposal indicates that the project party will bear bad debts through an insurance pool

Faced with the inaction of the Resupply team and their attitude of suppressing dissent, Yishi chose to publicly defend his rights on platform X. He published a lengthy article detailing the background and consequences of the incident, specifically criticizing the negligence of the Resupply team. He emphasized that the design of the insurance pool is intended to address unpredictable Black Swan Events, rather than to compensate for the basic mistakes of the development team. He questioned, "If users have to bear the costs of development errors, then this is essentially a false insurance that robs the rich to give to the poor."

Yishi's rights protection actions are not only targeted at the Resupply team but also extend to well-known DeFi protocols that collaborated with the project, such as Curve, Convex, and Yearn. He pointed out that these projects gained exposure and profits by providing liquidity support and endorsement for Resupply, and therefore should not stand idly by after the incident. In particular, Curve's stablecoin crvUSD played an important role in Resupply's liquidity pool. Yishi calls on the developers and treasury of these projects to jointly bear compensation responsibilities to make up for investors' losses.

According to publicly available information, in recent years, the average amount stolen from its related protocol projects is 10 million dollars per year, which has also raised community suspicions of self-theft.

• In 2021, Yearn Finance suffered approximately $11 million due to a vulnerability in the contract's business logic. Attackers exploited the liquidity of the funds that were not sufficiently protected by the protocol to carry out a flash loan attack, manipulating the fund pool to achieve arbitrage.
• In March 2023, Yearn Finance was impacted by approximately $1.4 million due to the hack of Euler Finance, as Yearn Finance had a financial association with it, leading to indirect losses, while its own contract had no vulnerabilities.
• On April 13, 2023, Yearn Finance experienced a configuration error in the early iearn yUSDT contract amounting to approximately $11.6 million, as the contract pointed to the wrong asset pool (USDC instead of USDT). Attackers exploited this configuration vulnerability, minting a large amount of yUSDT and then cashing out 26.
• On March 28, 2024, Prisma Finance had a contract with approximately 10 million USD that contained permission management and business logic vulnerabilities. Attackers deployed malicious contracts and stole funds through multiple operations, involving function permission issues and contract call defects 1 5 6.
• On June 26, 2025, Convex Finance (Resupply Sub-DAO) had a business logic vulnerability in its Resupply Sub-DAO contract, where attackers exploited the contract flaw to illegally transfer funds, specifically due to insufficient contract permissions or fund flow verification.

In addition, Yishi criticized the communication attitude of the Resupply team. He stated that the team not only lacked transparency but also mocked and banned investors who raised objections, which is a serious betrayal of community trust. He called on Resupply to develop a fair solution to refund users for losses caused by technical errors.

Soon, Yishi was attacked by anonymous individuals with private messages, posting discriminatory and mocking terms like ching chong, which sparked widespread discontent in the Chinese-speaking community.

Escalating Conflict: Confrontation with the Founder of Curve

Yishi's public rights protection quickly led to a direct conflict with Curve founder Michael Egorov. Prior to this, Curve Finance's official statement regarding this security incident stated, "Although Resupply was not developed by Curve developers, the creators of Resupply are highly capable and experienced, and we believe they will do their utmost to resolve this issue."

However, the event did not end there.

According to Yishi, Michael privately stated that he wanted to sue him, claiming that his comments "smeared Curve's reputation." This news sparked intense debate within the community on the X platform, with many believing that Curve, as a partner of Resupply, should bear some responsibility rather than suppress criticism through legal threats.

Yishi responded on X: "Michael said he would sue me for defaming Curve's reputation. What kind of behavior is this? Honest people deserve to be bullied, right?" He stated that while he respects Michael's efforts to mediate the situation, he will not give up on holding accountable.

As the incident escalated, some users began to link Yishi's personal rights protection actions with the OneKey brand, even accusing OneKey of "organizing public opinion attacks" against Resupply. In response to these accusations, OneKey issued a stern statement on June 29 on the X platform, clarifying that the company has never participated in or manipulated any public opinion attacks, and that Yishi's rights protection actions are part of his personal investment behavior and are unrelated to OneKey's business.

Summary

The Resupply event is not only a microcosm of Yishi's personal rights protection, but also reflects many problems exposed in the rapid development of the DeFi industry. Firstly, the security of smart contracts remains a core challenge for DeFi projects. Although the vulnerability of Resupply seems trivial, similar incidents are not uncommon in the DeFi space. In 2024, global cryptocurrency losses due to hacking and fraud have exceeded $2.2 billion, highlighting the urgent need to improve industry security standards.

Secondly, the handling of the Resupply team has exposed the shortcomings of DeFi projects in crisis management. The lack of transparency, suppression of dissent, and shirking of responsibility not only undermine investor trust but may also deal a devastating blow to the long-term development of the project. Yishi's actions to protect rights remind the community that investors have the right to hold the project accountable for technical failures, rather than passing the losses onto users.

The event also sparked discussions about partner responsibilities within the DeFi ecosystem. Projects such as Curve and Convex were embroiled in controversy due to their collaboration with Resupply, indicating that the interconnectedness of DeFi projects is both an advantage and a potential amplifier of risks. In the future, clarifying the allocation of responsibilities in ecological cooperation will be an important issue that the DeFi industry needs to address.