A week has passed since Resupply was stolen, and on June 26, a security breach occurred in the stablecoin "wstUSR Market" of DeFi protocol Resupply, resulting in the loss of about $9.6 million in crypto assets. "Walking by the river, how can you not get your shoes wet", DeFi OG player 3D posted a rights protection video on his Youtube channel for three consecutive days, and BlockBeats contacted 3D to chat with him about a series of reviews after the theft as a first-hand witness of the loss.

3D is one of the earliest users to participate in the mining of this protocol, and he is both a mining player and a content creator. In this interview, we heard his doubts, emotions, and some unspoken rules in the industry that he doesn't want to talk about. He talked about Curve's "default endorsement", the project's reactive response to hackers, and the process of the community being blocked and humiliated when defending their rights.

Compared with the loss of money, in the 3D narration, what chilled him was the shaking of confidence in the industry. He admits that although he has not lost the most, he is the one who is the most angry - not because of the money, but because of the disregarded and humiliated user status. His experience reflects the common dilemma of countless DeFi participants - unclear rights and responsibilities, no way to defend rights, and repeated concessions of moral bottom line.

Here's the full conversation:

BlockBeats: Please give 3D a brief introduction.

3D: The name I use on the network is 3D, and my main job at the moment is my own mining, I have been in the circle since the 2017 round of ICO, but I really started to focus on DeFi and arbitrage from the DeFi Summer in 2020, and I also run a Youtube channel focusing on DeFi arbitrage - 3D Crypto Channel.

BlockBeats: How much money has been compromised so far? How should the scale of the actual loss be estimated or measured?

3D: The total amount of money that can be seen at the moment is basically the size of the insurance pool – about $38 million.

BlockBeats: What percentage of Chinese users are there this time?

3D: I don't know very well. However, this time, the loudest and the first to speak out for rights protection were indeed me and Yishi, and we were tantamount to taking the lead. Chinese users are more concentrated on the voice, of course, there are some English users, but the overall volume is relatively small.

The period after the Resupply was stolen

BlockBeats: What's the current solution?

3D: To put it simply, we lost 15.5% of our principal. The community would have liked them to take action, as the total loss was about $10 million. One of the developers on their team contributed about 1.5 million, and they took about 800,000 from the coffers, which is just over 20% in total.

Their attitude is like, "You see we've lost money too, don't pursue it anymore." But the question is, why don't you use the money to communicate with hackers? For example, "You give the money back, and we reward you with this part as a white hat," wouldn't everyone be happy? But they didn't do it at all.

BlockBeats: Why did you choose this protocol for mining in the first place?

3D: I was involved in the Resupply project around the beginning of April. At that time, when I was scrolling through Twitter, I saw a person I have been following for a long time post related content, and later saw that Curve officially retweeted it, which caught my attention.

In hindsight, it looks strange from the logic of the project, it doesn't seem to want to make money on its own, but more like helping Curve "boost" the usage of crvUSD. Since crvUSD itself has no practical use, he designed a mechanism to force a use case, and then used incentives to guide people to participate.

From the perspective of us participants, this is like a big brother who wants to pull the platform data and asks his "little brother" to support the scene, and Curve did give him some endorsement, so we didn't think there was anything wrong with it at the time.

For those of us who are doing mining or arbitrage, when encountering a new project, we will first evaluate two key points: the first is the product itself, how does it work? Where does the money you make come from? The second is the background of the project party, that is, the so-called "on-site" and "off-site" information. In my judgment at the time, the logic of Resupply was relatively simple and intuitive.

BlockBeats: And who do you think is responsible after the accident? What key decisions did the Resupply team make after it happened? If you compare it with mature DeFi protocol platforms, what are the obvious gaps in their response processes?

3D: I think the biggest problem with how they deal with the aftermath is that they don't have a sense of crisis response at all. I didn't even do the most basic things in the first place. Everyone can find this on the Internet, and Cosine Boss also mentioned it: they neither publicly called out the hackers, nor did they issue an announcement to explain the situation, let alone activate any legal or accountability mechanisms - they didn't even try to communicate with the hackers, they were completely laissez-faire.

At the very least, other projects will make announcements, suspend contracts, contact white hats, and try to recover funds, all of which are not done. It's like it didn't happen.

We also don't understand why the project team doesn't actively communicate with the community. The whole incident led to a loss of nearly 10 million, and their own team only contributed about 1.5 million for a developer, plus about 800,000 yuan from the project treasury, which covered about 20% of the loss. No matter how you look at it, this is just a symbolic "meaning", a drop in the bucket.

Their attitude is basically "You see we're losing money too, don't bother us anymore." But the problem is that they can obviously use the money to negotiate with the hackers, and make it clear that as long as you return the money, this money will be treated as a white hat reward, and everyone will be happy. But they didn't take that measure at all.

3D's message on the official Resupply forum suggested trying to talk to hackers in the form of a white hat bonus, but it has not received a reply

The first is that they are extremely passive or even completely inactive in recovering hacked assets. It has been a few days since the incident last Thursday, and there is still no substantial progress.

The second point is that they are extremely arrogant and indifferent to the community. As soon as the incident came out, many of our users went to Discord to ask for the first time, but they directly qualitatively said that "the people in the insurance pool bear the losses", and there was no room for basic discussion. We questioned their approach, saying that the documentation did not state that users should bear such losses, only to be ridiculed, attacked, and even banned.

They also said, "You're making 17% annualized returns, so you're taking the risk." This logic simply doesn't hold water, and just because we're participating in a 17% annualized strategy doesn't mean we're fully responsible for the protocol theft.

The feedback in our group was unanimous, not that losing money was the most uncomfortable, but that the experience of being humiliated and blocked in Discord was more infuriating. There are two core reasons why this incident has triggered such a strong reaction: the inaction of the project team and their contempt for users.

If they really can't afford to lose, they can make their attitude clear, such as taking out 3 million first, and leaving 7 million for all users to share proportionally, which is also stronger than now. But their way of dealing with it is to directly "take out" the users of the insurance pool and take full responsibility. Their purpose in doing this is clear, which is to keep the protocol running and not let the project die.

The most ironic thing is that looking at the announcement they made at the time, they almost didn't mention the amount of losses, and only said lightly that they encountered a loophole, suspended a market, and everything else went on as usual, which is very irresponsible.

What's more serious is that the hacker minted 10 million stablecoins at zero cost through loopholes to sell the market, directly breaking the original overcollateralized mechanism, so that there is no longer enough asset support behind the stablecoin. In this case, the project party still did not suspend the agreement and let the user operate the withdrawal by himself.

As a result, users who ran fast were withdrawn, and the vault pool was completely locked out due to a 7-day delay in withdrawal. What's even more outrageous is that they have launched a new proposal to suspend insurance pool withdrawals and further freeze user assets. As for their statement that "bad debts should be borne by the insurance pool", there is no precedent in DeFi protocols at all. They have once again broken through the bottom line of the industry, and there is no rationality in governance at all.

BlockBeats: Have any projects ever used this insurance pool to cover losses before?

3D: The insurance pool bears the black debt at all.

There are only three ways to participate in the Resupply project, pledge, revolving loan, and group LP. In fact, from the perspective of user expectations, staking is the most stable group of people in it, but now they have to bear all the risks. The core issue lies in the user's expectation of the insurance pool, and we all believe that as long as the bad debt caused by market fluctuations is borne.

I made an analogy about the insurance pool at the time, which may not be very accurate, but it probably means that it is like you bought a wealth management product on Binance, and Binance was stolen, and it tells you, "Aren't you here to save money?" Everyone bears the loss, especially those of you who have bought financial management." Finally, the lost money will only be deducted from the user's funds, and others will not be affected.

In fact, some exchanges have been stolen in the past, and all users bear the losses proportionally, but this time it was not. They only make the wealth management user bear the entire loss. Their logic is, "If you want to earn 2% per annum, you have to be liable for it." There are even people who say that "there is no such thing as a free lunch", which means that you deserve to bear the loss of this theft if you take 17% of the annualized income, which is outrageous.

What role did Curve play in this turmoil?

BlockBeats: You mentioned that you participated in Resupply because you trusted Curve, so what do you think is the relationship between Resupply and Curve? Do you think Curve's "cutting" attitude in the aftermath of the incident is reasonable?

3D: I think it can be seen on two levels. The first is the logic on the surface - this project does serve and endorse Curve, and it is also a project in the Curve ecosystem.

But on the other hand, people with normal judgment will make a reasonable reasoning: you see that the design of this protocol is basically to provide services to Curve, and to put it bluntly, it is the role of "little brother". Otherwise, its existence is almost meaningless, and its core logic is to subsidize Curve's protocol revenue with its own mining coins.

You say that this kind of thing that does not ask for anything in return and is purely a blood transfusion, unless it is true love, who will do it? Especially its token, at the time, I thought that the project would not last for a month, because the overall story was not attractive, and in the final analysis, it was to bring some new increments to Curve's stablecoin, and there was no substance.

But then you see, the price has stabilized, and it has been stable for a long time. I was thinking, who's going to be behind this? Come to think of it, the most plausible explanation is that Curve is doing it on its own. Whoever benefits from this, and who is most motivated to stabilize the situation - this is a common-sense reasoning, although there is no real evidence, but as long as the brain is right, you can probably think of this.

Resupply native token price action

Before the accident, Curve shouted that it was a good project, but now that it has an accident, it immediately cleared up, saying "It's just an ecological project, it has nothing to do with me". This attitude is the same as some of the news we usually see: once something happens, it is "a temporary worker". Now that even we, the users, have been banned, how far do you say this has happened?

Without Curve's endorsement, Resupply would not have been able to raise that much money. We weren't involved because of its development team – which actually didn't have a good reputation. If it's just them doing a project alone, we definitely won't be involved.

There are two reasons why we really chose to participate: one is that its business model revolves around Curve's stablecoin, which is logically equivalent to helping Curve grow, and this binding relationship makes people feel relatively safe; The second is that Curve officially recognized the project at that time, and even endorsed it.

As for you saying that the project party has a black history, it is true, but this time they did not change their vests, but continued to use their original identities to do projects, which can be regarded as a kind of "real name" responsibility to some extent.

BlockBeats: Is Curve's official publicity and endorsement of Resupply jointly and severally liable in this case? How do you view the conflict of interest between "post-facto discarding" and "ex-ante promotion" on the ecological side?

3D: I don't think Curve's "cutting" behavior after the incident is completely unreasonable. If I once recommended a certain mining pool, even if I didn't have a penny or any interest, and something happened to the mine, I would be the first to speak out and tell the people who follow me what is wrong now, and I will follow up.

Curve actively endorsed the project when it was running normally at the beginning, and when the project went wrong, it had a "nothing to do with me" attitude, saying a few words of "regret", and then brushing it off, which is really unacceptable.

How to avoid stepping on the pit in mining?

BlockBeats: What is the biggest difficulty in defending the rights of DeFi users today?

3D: At the heart of the problem is the lack of clarity and the lack of regulation in the industry itself. In this case, it is actually very difficult to defend rights.

If you're a U.S. user, the situation might be slightly better. Because the United States has long-arm jurisdiction, it can pursue liability across borders through legal means, and it is even possible to recover some of the funds and report losses to the government. But for us, there is basically no such channel.

BlockBeats: So what are the current ways to protect the rights of these big damaged owners?

3D: No, otherwise who would want to be a clown on the Internet?

At the end of the day, we simply don't have any effective channels to defend our rights. As long as the project party is determined to be irresponsible, users can only rely on their own voices and organize actions. For me, although the financial damage was not great, I reacted particularly strongly because I felt that it was an insult. If all project parties have this attitude, then the industry will not be able to play at all.

To be honest, it's really chilling. Today I was pitted, tomorrow it may be you, as long as you are still in this circle, you will always encounter similar things. As the old saying goes, "True heroism is the one who chooses to love after seeing the truth." That's how we can only look at the industry. To solve the problem, on the one hand, it depends on the project party to have a moral bottom line, and on the other hand, the industry also needs to have basic self-discipline.

BlockBeats: What information do you focus on when the project is new or still in the promotion period?

3D: When a project is first launched or in the pitch phase, I usually focus on a few things.

The first is the business model. What exactly does this project make money on? Where is the source of profit? This is the most basic but also the most critical question.

The second is the on-site information, that is, the operation mechanism of the protocol itself, such as whether the inflow and outflow of funds is smooth, whether there are "stuck points" - such as whether there is a time lock for incoming and outgoing funds, or whether there is a high handling fee, which are directly related to user experience and risk.

The third is off-site information. I want to see if this team has done projects before, whether it is anonymous, whether there is support from investment institutions, who is behind it, and whether I can get some background information.

In addition, I will take the initiative to chat with the project team's Discord to see if their response attitude and the team are reliable. Some people look at audit reports, but I would like to remind you that many of the projects that have failed have actually been audited. At most, the audit can only show whether the project party is willing to spend money to go through the process, and does not represent that the project is really safe.

BlockBeats: Do you still have confidence in the Curve ecosystem, insurance mechanism, and stablecoin system?

3D: Curve is in an awkward position. Its original niche was primarily designed to solve Uniswap V2's problem with stablecoin trading depth. Because V2's constant product market-making mechanism does not perform well among stablecoins, it takes a lot of money to pull out the depth. At that time, Curve proposed a smoother curve design, focusing on stablecoin exchanges. It can be said that it relied on this differentiation to gain a firm foothold in DeFi from the beginning, and as an infrastructure product, the logic is clear. But now there's pressure on Floyd's business, and I think it's going downhill, but I still have confidence in the stablecoin system.

I've actually been very anxious lately. Although I didn't lose much personally this time, the biggest blow to me was not money, but confidence. I've always been in the industry, I can't say how much I love it, but at least I've been committed to it for a long time. But now, I'm starting to have serious doubts about the sustainability of the industry – if all the project parties were like this, the industry would not be able to continue.

Yishi has withdrawn all the mines, and now he only plans to stock up on bitcoin and touch nothing else. You think that our 15.5% loss this time is equivalent to the annualized return of one year of mining directly to zero. What we originally did was a relatively low-risk strategy, not a high-leverage, ten-fold daily gain. Earned 15 points in a year, and now it's gone in a day, who can stand it?