It has been a week since the Resupply hack. On June 26, the DeFi protocol Resupply's stablecoin "wstUSR Market" experienced a security vulnerability, leading to a loss of approximately $9.6 million in crypto assets. As the saying goes, "If you walk by the river long enough, you will eventually get your shoes wet." DeFi OG player 3D has been posting videos on his YouTube channel for three consecutive days seeking justice. BlockBeats contacted 3D to discuss his firsthand experience as a victim of the hack and the subsequent events that unfolded.

3D was one of the early users to participate in this protocol's mining activities. He is both a miner and a content creator. During the interview, we heard his doubts, emotions, and some unspoken rules of the industry. He mentioned Curve's "default endorsement," the project team's passive response to the hacker, and the community's experience of being ostracized and humiliated during the pursuit of justice.

Beyond the monetary loss, what truly disheartened 3D, as he shared, was the shaken confidence in the industry. He admitted that while he was not the heaviest loser financially, he was the angriest—not because of the money, but because of the disregarded and humiliated identity of users. His experience reflects the common plight of countless DeFi participants—unclear responsibilities, no avenues for justice, and a continuous erosion of ethical boundaries.

Below is the full transcript of the conversation:

BlockBeats: Please introduce yourself briefly, 3D.

3D: My online alias is 3D, and my main activity is mining. I entered the scene during the 2017 ICO boom, but I truly focused on DeFi and arbitrage starting with the DeFi Summer in 2020. I also run a YouTube channel dedicated to DeFi arbitrage—3D Crypto Channel.

BlockBeats: How much funds are estimated to be lost? How would you gauge the actual scale of the loss?

3D: The total visible fund size we can currently see is essentially the size of the insurance pool—approximately $38 million.

BlockBeats: What percentage of the affected users are Chinese speakers?

3D: I'm not very clear about this. However, in terms of speaking out and advocating for our rights, Yishi and I were the ones with the loudest voices and the earliest to speak up. We were essentially at the forefront. The Chinese user community was more concentrated in expressing their opinions, although there were also some English users, but overall, the volume of their voices was relatively much smaller.

The Time Period After the Resupply Hack

BlockBeats: What is the current solution?

3D: Simply put, we directly lost 15.5% of our principal. The community actually hoped that they would take action because this time the total loss was approximately ten million U.S. dollars. One of their developers contributed about 1.5 million, and they took out about 800,000 from the treasury. To clarify, this was just over 20% of the total loss.

Their attitude was like saying, "Look, we also lost money, so don't pursue this any further." But the question is, why didn't they take this money to communicate with the hacker? For example, "Return the money, and we will use this part as a white hat reward for you." Wouldn't that be a win-win situation? But they didn't do that at all.

BlockBeats: Why did you choose to mine with this protocol in the first place?

3D: I got involved with the Resupply project around early April. At that time, I was scrolling through Twitter and saw a post from someone I have been following for a long time. Later on, I also saw Curve's official account retweeting it, which caught my attention.

In hindsight, looking at the project's operational logic, it was quite peculiar. It didn't seem like they were in it to make money for themselves but rather to help boost the usage of crvUSD for Curve. Because crvUSD itself doesn't have much practical use, they designed a mechanism to forcefully create a use case and then incentivize everyone to participate.

From the participants' perspective, it was like a big brother trying to manipulate the platform's data and getting their "underling" to keep up appearances, and Curve indeed gave them a certain endorsement. So, at that time, we didn't see any issues with it.

For people like us who are into mining or arbitrage, when encountering a new project, we usually first assess two key points: first, the product itself, how does it work? Where does the money you earn come from? Second, the background of the project team, the so-called "on-chain" and "off-chain" information all need to be thoroughly researched. In my assessment at the time, the logic of Resupply's product was relatively straightforward and intuitive.

BlockBeats: Who do you think should take responsibility after the incident? What key decisions did the Resupply team make after the incident? Compared to mature DeFi protocol platforms, what are the significant gaps in their response process?

3D: I think their biggest problem in post-incident handling was a complete lack of crisis response awareness. They didn't even do the most basic things at the first moment. Everyone can find this online, as even CZ mentioned: they neither publicly called out the hacker, nor issued a statement explaining the situation, nor initiated any legal or accountability mechanisms—there was not even an attempt to communicate with the hacker, it was total negligence.

Other projects would at least issue a statement, pause the contract, contact white hats, attempt to recover funds; these basic operations were not done. They acted as if nothing had happened.

We also don't understand why the project team did not actively communicate with the community. The entire incident led to a loss of nearly ten million, while their own team only contributed around 1.5 million, plus the project treasury provided about 800,000, covering only about 20% of the losses. However you look at it, this was merely symbolic, a drop in the bucket.

Their attitude was basically, "Look, we lost money too, don't bother us anymore." But the problem is they could have taken this money and negotiated with the hacker, explaining that as long as the funds were returned, it would be considered a white hat reward, a win-win situation. Yet they did not take any such measures.

3D's message on the Resupply official forum, suggesting attempting to negotiate with the hacker using a white hat reward approach, but never received a response

The first point is that they have been extremely passive, even completely inactive, in reclaiming the hacker's assets. From the incident last Thursday until now, several days have passed, and there has been no substantial progress.

The second point is their extremely arrogant and indifferent attitude towards the community. As soon as the incident occurred, many of us users went to Discord to inquire, but they directly asserted that "people in the insurance pool will bear the losses," not even providing a basic discussion space. When we questioned their approach, stating that the documentation did not mention that users needed to bear such losses, we were met with sarcasm, attacks, and even direct bans.

They also said, "You earned a 17% annualized return, so you have to bear the corresponding risk." This logic simply doesn't hold up; we only participated in a 17% APY strategy, which does not mean we should bear full responsibility for the protocol being hacked.

The feedback from our group is unanimous. It's not just about losing money; what's most distressing is the experience of being shamed and blacklisted on Discord. The reason this event triggered such a strong reaction lies in two core factors: the inaction of the project team and their disdain for the users.

If indeed they cannot afford to compensate fully, they could have been transparent about it. For example, they could have taken out 3 million first, leaving the remaining 7 million to be proportionally shared by all users. This would have been a better approach than what they did. However, their course of action was to directly single out the users from the insurance pool to bear the entire responsibility. Their objective in doing so was clear: they wanted to salvage the continued operation of the protocol and prevent the project from dying.

Most ironic was how, in their announcement at the time, they hardly mentioned the amount lost, merely mentioning in passing that there was a vulnerability found, one market was paused, while the rest continued as usual. This manner of information disclosure was highly irresponsible.

Even more serious was that the hacker exploited the vulnerability to mint 10 million stablecoins at zero cost and dumped them on the market. This directly broke the mechanism of over-collateralization, rendering the stablecoin without sufficient asset backing. In this scenario, the project team still chose not to halt the protocol, leaving users to withdraw their funds at their own discretion.

The outcome was that the swift users exited, while those in the insurance pool were left completely locked in due to a 7-day withdrawal delay. To make matters worse, they initiated a new proposal to pause withdrawals from the insurance pool, further freezing user assets. As for their statement that "the bad debts should be borne by the insurance pool," there is simply no precedent for this in a DeFi protocol. Once again, they crossed the industry's bottom line, displaying a total lack of governance reasonability.

BlockBeats: Did any project in the past use this insurance pool to cover losses?

3D: The insurance pool has never covered bad debts at all.

Participation in this Resupply project had only three gameplay options: staking, flash loans, and providing LP. In practice, judging from user expectations, the stakers were the most risk-averse group inside, yet now they have to bear all the risk. The core issue lies in users' expectations of the insurance pool. We all believed it should only cover bad debts caused by market fluctuations.

Regarding the insurance pool, at the time, I made an analogy that might not be entirely accurate but roughly conveys the idea. It's like if you bought a wealth management product on Binance, and then Binance got hacked. Instead of compensating you, it tells you, "Weren't you here to deposit money? Well, let's all bear the loss together, especially you wealth management users." In the end, the losses are deducted only from the wealth management users' funds, with no impact on others.

In the past, some exchanges were actually hacked, and all users shared the losses proportionally. However, this time is different. They only made yield farmers bear all the losses. Their logic was: "If you want to reap a 2% annualized interest, you have to take responsibility for it." Some even said "There's no such thing as a free lunch," meaning if you took a 17% annualized return, you deserve to bear the loss from this hack, which is totally unreasonable.

What Role Did Curve Play in This Incident?

BlockBeats: You mentioned that you participated in the Resupply due to trust in Curve, so what do you think is the relationship between Resupply and Curve? Do you think Curve's "cutting ties" attitude after the event is reasonable?

3D: I think this can be viewed from two perspectives. First is the surface logic—the project indeed served Curve, also endorsed Curve, and was itself a project within the Curve ecosystem.

But on the other hand, a person with some normal judgment would make a reasonable inference: you look at the design of this protocol, it's basically meant to serve Curve, in plain words, it plays a "sidekick" role. Otherwise, its existence is almost meaningless because its core logic is to use its own token to subsidize Curve's protocol revenue.

You would ask, who would do such a selfless, purely altruistic act without seeking a return? Unless it's true love, why would anyone do it? Especially its token, at that time I felt this project couldn't last a month because the overall story had no appeal, in the end, it was just to bring some new volume to Curve's stablecoin, lacking substantial content.

But then, you see, its price surprisingly held steady for a long time. I was thinking, who was providing the bottom support? After much thought, the most reasonable explanation is that Curve itself was supporting it. Who benefits from this, who has the most motivation to stabilize the situation—this is common-sense reasoning, although there's no solid proof, but as long as your brain is functioning normally, you can probably think of this.

Resupply Native Token Price Trend

Before the incident, Curve was boasting about how this was a good project, and now that something has happened, they immediately disassociate themselves, saying, "It's just an ecosystem project, nothing to do with me." This attitude is just like some of the news we usually see: as soon as something goes wrong, it was "done by a temporary worker." Now even we, the users, have been banned, how serious has this matter become?

If it weren't for Curve's endorsement, Resupply wouldn't have been able to raise so much money in the first place. The reason we participated was not because of its development team—actually, this team doesn't have a good reputation at all. If it were just them doing a project on their own, we definitely wouldn't have participated.

What truly led us to choose to participate were two reasons: one, its business model revolves around Curve's stablecoin, which logically equates to aiding Curve's growth. This binding relationship made us feel relatively secure. Two, Curve's official team also openly acknowledged this project at the time, even going as far as endorsing it.

As for your mention of the project team having a shady past, that is indeed true. However, this time they didn't change their identities but continued the project under their original names, which can be seen as a kind of "real-name" accountability to some extent.

BlockBeats: Should Curve bear joint responsibility for Resupply's official promotion and endorsement in this incident? How do you view the conflict of interest between the ecosystem's "post-event disassociation" and "pre-event promotion"?

3D: I believe Curve’s post-incident behavior of distancing themselves is entirely unreasonable. Even if I were just a small KOL, if I had previously recommended a mining pool, even if I didn't receive any payment, didn't have any financial interest, and that pool ran into trouble, I would still speak up immediately and inform my followers about the current issues and that I will follow up.

When the Resupply project was running smoothly, Curve actively endorsed it, but when the project encountered problems, they took a "not my problem" attitude, expressed a few words of "regret," and then distanced themselves completely. Such behavior is really hard to accept.

How to Avoid Pitfalls in Mining?

BlockBeats: What is the biggest hurdle for DeFi users in safeguarding their rights?

3D: The core issue lies in unclear rights and responsibilities, coupled with the overall lack of regulation in the industry. In such a scenario, safeguarding rights is indeed very challenging.

If it were U.S. users, the situation might be slightly better. This is because the U.S. has extraterritorial jurisdiction, which allows them to pursue legal action across borders, potentially recovering some funds, declaring losses to the government. But for us, there are essentially no such channels.

BlockBeats: So what are the options for these large holders who have suffered losses to safeguard their rights currently?

3D: No, otherwise who would want to be a clown on the Internet?

In the end, we simply don't have any effective channels for safeguarding our rights. As long as the project team is determined to be irresponsible, users can only rely on themselves to speak out and organize actions. This event, to me, while the economic loss is not significant, triggered a particularly strong reaction because I felt it was an insult. If all project teams adopt this attitude, then this industry simply cannot continue to operate.

To be honest, this is really quite disheartening. Today it's me who was scammed, tomorrow it could be you. As long as you're in this circle, you will always encounter similar situations. As the saying goes: "True heroism is remarkably sober, very undramatic. It is not the urge to surpass all at whatever cost, but the urge to serve others at whatever cost." We can only view this industry this way. To solve the problem, on the one hand, we need project teams to have a bit of moral bottom line, and on the other hand, the industry also needs basic self-regulation.

BlockBeats: When a project has just launched or is still in the promotion phase, what information do you focus on verifying?

3D: When a project has just launched or is still in the promotion phase, I usually focus on several aspects.

First is the business model. How does this project make money? Where does the profit come from? This is the most basic yet crucial question.

Second is on-chain information, which is the operation mechanism of the protocol itself, such as whether the inflow and outflow of funds are smooth, whether there are any "bottlenecks" — for example, whether there are time locks on incoming and outgoing funds, or whether high fees are charged. These directly affect user experience and risk.

Third is off-chain information. I want to see if the team has done any previous projects, whether they are anonymous, if there is any investment institution support, who is behind them, and whether it's possible to find out some background information.

In addition, I will also proactively chat with the project team on Discord to see their response attitude and whether the team is reliable. Some people may look at audit reports, but I want to remind everyone of one thing: many projects that have had issues actually underwent audits. At most, an audit can only show whether the project team is willing to spend money to go through the process, but it does not represent the project is truly secure.

BlockBeats: Do you still have confidence in the Curve ecosystem, insurance mechanism, and stablecoin system?

3D: Curve's current situation is actually quite awkward. Its original ecosystem positioning was mainly to address Uniswap V2's issue with stablecoin trading depth. Because V2's constant product market-making mechanism did not perform well between stablecoins, a lot of funds were required to provide depth. Curve then proposed a smoother curve design, focusing on stablecoin exchange. One could say that it initially stood firm in DeFi based on this differentiation, serving as an infrastructure product with clear logic. However, under the business pressure from Fluid, I feel it is on a downward trajectory. Nevertheless, I still have confidence in the stablecoin system.

I've actually been feeling quite anxious recently. Although my personal loss this time isn't significant, the biggest blow to me from this incident is not the money, but rather my confidence. I've been in this industry for a while, not to say that I'm extremely passionate about it, but at least I've been deeply involved for a long time. However, now I'm seriously doubting the sustainability of this industry—if all project teams are like this one this time, then this industry simply can't continue.

Yishi pulled out all of the mining rigs, and now only plans to hold Bitcoin, not touching anything else. Think about it, our 15.5% loss this time is equivalent to wiping out the annualized mining rewards for a year. Our original strategy was relatively low-risk, not some high-leverage, earn-multiples-daily type of play. Earn 15 basis points in a year through hard work, and now it's all gone in a day. Who can handle that?

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia