Regarding the incident with @ResupplyFi, many people have various associations and emotions. Here are a few points I would like to make, hoping to help clarify some context:
First of all, the @CurveFinance team did not participate in the development of Resupply. This has been publicly clarified by @newmichwill, and no one from Curve is involved in this project. Moreover, Resupply itself is a SubDAO of @yearnfi, which is also stated on their official Twitter. Resupply chose crvUSD as one of its underlying assets, which is a decision made by the protocol and does not imply any substantial connection to Curve.
Nevertheless, this is still a regrettable event. The developer of Resupply, @C2tP, ultimately donated over $1.39 million out of his own pocket to repay bad debts, and this responsible attitude is commendable.
On the other hand, I would also like to especially thank @ohyishi, the boss, and the supervisory role he represents. His observations, criticisms, and concerns regarding Prisma, Resupply, and even Curve on Twitter are very important. In the decentralized finance world of DeFi, without these individuals who continuously raise questions, we would not see the risks and thus would not be able to progress.
Whether positive or negative, these voices make the protocol aware of users' concerns and teach the project team how to express, govern, and respond to the community more clearly. The role represented by Yishi is itself a contribution. This is not just about technical correctness but also about mutual reminders of values.
From DeFi Summer to today, we have witnessed many innovations and experienced numerous setbacks. The birth of Uniswap, Aave, and Curve is the result of a series of experiments that were not afraid of failure. However, in recent years, more and more protocols have chosen to be conservative and avoid innovation, as a new contract could mean hundreds of thousands or even millions of dollars in risk.
This stagnation is, in fact, a greater risk.
We should not only commemorate the past DeFi Summer but also ask: Can we create it again? Can we allow failure, protect innovation, and learn collectively?
- - - - - - Related Links - - - - - -
👉🏻
👉🏻
- - - - - - Related Links - - - - - -
Finally, I would like to clarify: I have no affiliation with the Resupply team and have not participated in any of its mining activities. This is merely my observations and thoughts as an observer, DeFi participant, and builder.
Seeing the onekey boss protecting his rights with Resupply, losing several million in assets, I can't help but sigh that DeFi is really too fragile. After looking around, it seems that no one has explained clearly how the hacker attacked, so I did some research myself and want to share it with everyone:
The main character of the story is ResupplyPair, where users can borrow by staking assets. The isSolvent modifier in the contract is responsible for checking whether the user is eligible to borrow the requested assets, and the specific code logic is as follows:
You can see the calculation of ltv on line 282. If we can set _exchangeRate to 0, then the check will always pass, right? Continuing to read the code:
You can see that this variable comes from the oracle's getPrices call, and it is in the denominator. In other words, we need to make the price of collateral extremely high.
By reading the oracle's code, we can see that getPrices is just a layer of forwarding, and it actually calls the convertToAssets interface of the staked asset (i.e., the vault). Continuing to read the code:
You can see that this result consists of very complex mathematical operations. Here, the hacker amplified the numerator, further affecting total_assets, completing the attack. By checking the implementation of the _total_assets function, we can find that:
This value is related to the borrowed_token held by the controller contract of this vault, which is crvUSD.
At this point in the analysis, it becomes clear that ResupplyPair was created using an empty vault. The hacker transferred a certain amount of borrowed_token to the controller contract of the vault, ultimately causing _exchangeRate to drop to zero, thereby infinitely amplifying the value of their staked assets and borrowing up to 10 million reUSD at a very low cost.
Attack transaction:
ResupplyPair contract address:
Vault controller contract address:
Vault contract address:
Oracle contract address:
4.11K
0
The content on this page is provided by third parties. Unless otherwise stated, OKX TR is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX TR. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX TR is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.