Resupply incident review: Hackers at large, users forced to fill holes, security incident turns into racial discriminati | Bee Network

Resupply incident review: Hackers at large, users forced to fill holes, security incident turns into racial discriminati | Bee Network Login Актуальные новости Запуск мемов Агенты искусственного интеллекта DeSci TopChainExplorer Для Ньюби 100-кратное количество монет Игра "Пчелка Основные веб-сайты Must-Have APP Криптознаменитости DePIN Новички насущные Детектор-ловушка Основные инструменты Продвинутые веб-сайты Обмен Инструменты NFT Привет, Выйти Вселенная Web3 Игры DApp Пчелиный улей Растущая платформа AD Поиск Английский язык Монеты для пополнения запасов Вход в систему Скачать Web3 Uni Игры DApp Пчелиный улей AD дом•Анализ•Resupply incident review: Hackers at large, users forced to fill holes, security incident turns into racial discriminati Resupply incident review: Hackers at large, users forced to fill holes, security incident turns into racial discriminatiАнализ8 месяцев назадUpdateУайатт 25 7271 25 Original | Odaily Planet Daily ( @OdailyChina )

Author | Dingdang ( @XiaMiPP )

On June 26, the wstUSR market under the decentralized stablecoin protocol Resupply was reported to have been hacked, and approximately US$9.5 million in assets were transferred.

In the криптовалюта world, such incidents are not uncommon. The amount of money stolen from Resupply is not even outstanding, but it has caused controversy in the community. In particular, the project team did not recover the hacker funds, hold them accountable, report them to the police, or offer a reward. Instead, they used community assets to fill the hole. As a result, the communitys anger intensified. OneKey founder Yishi , SlowMist founder Yu Xian and other crypto people stood up to call out to the project team, and even this governance public opinion has escalated to racial discrimination.

Odaily Planet Daily will start from the whole incident, sort out the root causes of the conflict, and clarify the positions of all parties.

1. Attack process: borrowing millions of dollars from 1 wei mortgage Resupply is a decentralized stablecoin protocol built around crvUSD, and its underlying structure is highly dependent on the trading pool structure, interest rate model and asset peg logic of the Curve ecosystem. By attracting liquidity through trading pairs such as crvUSD-wstUSR, the project has accumulated tens of millions of dollars in locked positions in a short period of time.

From code usage, governance logic, to treasury access methods, Resupply looks like an independent high-rise, but it is actually deeply rooted between the two major DeFi infrastructures of Curve and Convex. It is generally believed that there is a development resource collaboration between it and Convex, and there are even rumors that it was secretly hatched by the core development team.

This relationship became the starting point of controversy after the incident.

On June 26, security company BlockSec first discovered abnormal fund flows in Resupply and initially estimated the loss to be $9.5 million.

The attack path was then disassembled: the attacker took advantage of a structural design error in Resupplys deployment of the wstUSR vault. Specifically, by injecting carefully constructed parameters into the Controller contract, the exchangeRate was instantly zero, the collateral detection failed, and all liquidation and risk control mechanisms were bypassed.

With only 1 wei as collateral, the attacker borrowed a large amount of reUSD, converted the assets into ETH after the laundering, and mixed the coins through Tornado Cash. Afterwards, the loss of assets was worth about 9.5 million US dollars. Yu Xian, the founder of SlowMist, said that this was an interest rate inflation loophole.

Resupply released a hacker attack analysis report on June 28, which pointed out that the attack on Resupplys crvUSD-wstUSR trading pair caused about $10 million in reUSD bad debt, but the vulnerability only existed in a specific token trading pair. Other token trading pairs were not affected, and the Resupply market operated as usual. At present, the debt limit of the affected token pairs has been set to 0 and insurance pool withdrawals have been suspended. A formal governance vote is required to lift the suspension. The problematic code segment has undergone multiple security audits, and independent researchers have been hired to review the code base, but the problem has not been reported. At this stage, the stolen funds are still on the chain, and the relevant situation is being monitored and necessary measures will be taken.

The vulnerability itself is not complicated, but it breaks through the core security boundary of the protocol. But the real controversy starts with the projects remedial measures.

2. Remediation by the project party: Governance proposal becomes “cutting leeks”? On June 29, the official team of the Resupply protocol initiated a remedial measures proposal in the community, declaring that it would quickly repair the operation of the protocol through community consensus.

The specific contents of the proposal are as follows:

Phase 1: Take immediate governance action

Insurance Pool (IP) token destruction: At the time of writing the proposal, the total outstanding bad debt is 7,131,168 reUSD after the Resupply Protocol Treasury, Convex Treasury, and C2tP have paid out 2,868,832 reUSD.

The proposal specifically provides that:

6,000,000 ReUSD of bad debts will be burned through the insurance pool, accounting for 15.5% of the 38.7 million reUSD in the insurance pool.

The agreement will address ongoing bad debts to reduce the amount owed by the insurance pool. Overall, this is $4 million less than the amount of bad debt originally owed by the insurance pool.

The remaining bad debt ($1,131,168) will be repaid through a mix of future revenue sources such as, but not limited to, agreement fees and/or a potential RSUP off-market sales program to be determined at a later date by the Finance or Governance Department.

IP Withdrawal Period:

The authorities are making every effort to shorten the mandatory lock-up period of user funds in the insurance pool. To this end, the voting time for voters who update Resupply will be shortened to 3 days.

By utilizing a shorter voting window, the DAO can make a quick on-chain decision on the proposal for the benefit of depositors and reach a final resolution within the initial 7-day IP cooldown period.

The DAO may choose to extend the regular voting period to 7 days after the close of this proposal, or explore other options such as different voting times for standard and emergency votes.

Phase 2: Insurance Pool Retention Plan

Overview: The IP Retention Program applies to users who are depositors in the insurance pool at the time of this proposal and who are slashed in Phase 1 above. It is not intended to offset slashing, although it may or may not do so; rather, it is intended to incentivize remaining in the insurance pool after slashing through additional liquid RSUP tokens. Opt-in is the default, but users can opt-out at any time if they decide not to participate.

Opting out will distribute the additional inflow of RSUP shares to the remaining shares. This proposal requires the deployment of contracts, which will be issued at a later date once the contracts have been reviewed and deployed.

Project Revenue Source: A dedicated RSUP release receiver will be created for the retention program.

If passed, the proposal commits the DAO to distribute a total of 2.5 million to recipients over 52 weeks.

The core of the above proposal can be interpreted as:

6 million reUSD in the insurance pool were burned to hedge against bad debts

The remaining $1.13 million of bad debt will be repaid from future contract revenues

Issue streaming RSUP rewards to users who stay in the insurance pool to stabilize confidence

Suspend withdrawal channels, shorten voting cycles, and speed up governance

The proposal is ostensibly a quick “community collaboration”, but the community generally views it as an “unnegotiated user payment mechanism”.

The insurance pool was originally intended to deal with market fluctuations, not project deployment vulnerabilities; and the proposal did not mention the recovery of hacker funds, accountability, reporting to the police, and reward. The projects first reaction was to use community assets to fill the hole, rather than to find out the responsibility for the vulnerability.

Governance has become a tool for “shifting responsibility”.

3. Community anger: victims or scapegoats? After the attack, the Discord group of Resupply exploded. Afterwards, when some large LPs asked “why the insurance pool should pay for the technical errors”, they were even kicked out or banned by the administrator.

User dissatisfaction is concentrated in three aspects:

Institutional level : The agreement document does not clearly state that the insurance pool needs to cover development errors, but the project party unilaterally adjusted the use afterwards.

Governance : Governance proposals are pushed forward in a hurry, and users are not given enough space for participation and discussion.

Emotional level : After the attack, the project team did not show empathy and responsibility, but instead controlled risks, public opinion, and emotions.

For example, on June 27, OneKey founder Yishi spoke publicly for the first time, demanding that Curve provide a fair solution to every investor and return user funds lost due to serious technical errors by the project party.

He revealed that he was one of the three largest investors in Resupply and lost millions of dollars. He believed that the attack was caused by a structural error in which the initial shares were not destroyed when the ERC 4626 vault was deployed, and the attacker could mint unlimited shares at almost zero cost to drain the vault.

He also pointed out that the project not only tried to pass on the losses to the insurance pool users, but also banned reasonable questioners in the Discord group. He said that Curve, Convex, and Yearn had all supported Resupply in terms of technology, governance, or resources, and should not lightly disassociate afterwards.

Community member @2233 3D posted a video accusing the Resupply team of various dereliction of duty, mainly including adopting an appeasement policy after a hacking incident caused by a low-level error in the contract, not suspending, not reporting, not offering a reward, kicking people and covering their mouths in Discord, and claiming that the losses should be borne by users of the insurance pool that was used to protect against market volatility risks.

Yu Xian, the founder of SlowMist, added: The project owner is the first in history who has not made any statement or expressed his position on the bounty. If I were the attacker, I would also be confused. Why hasnt the project owner expressed his position? Am I a black hat hacker or a white hat hacker?

Even this governance has escalated to racial discrimination. On June 28, OneKey founder Yishi posted a message saying that he encountered the obvious racial discrimination word chixx choxx when communicating with project members, which aroused great public anger. The word is widely regarded as an insulting expression to the Chinese community. Many people in the industry immediately launched a Slash action to support Yishi, emphasizing that racial discrimination is unforgivable in any context.

Curve founder Michael wants to sue: Not a bystander, but a victim? Yishi said in a tweet on June 28 that Michael said he would sue him, accusing him of defaming Curves reputation, and expressed dissatisfaction with this, saying that honest people deserve to be bullied.

Michaels supporter @HaowiWang responded publicly that this is no longer a debate about who is right and who is wrong, but an attack on the systemic trust of the Curve brand. He listed Yishis five major crimes:

1. Malicious defamation and fabrication of facts: Yishi repeatedly attributed the Resupply incident to Curve in social networks and on Twitter, implying that it had actual control responsibility and misleading the public;

2. Damage to reputation: As a public figure, Yishi directly or indirectly named Curve, causing the project to suffer a crisis of trust in the Chinese community;

3. Organized manipulation of KOCs to spread false information: They can mobilize a large number of KOCs/KOLs in the OneKey ecosystem to путеводитель public opinion and construct a narrative of Curve accomplices;

4. The intention of exerting pressure to cover the losses is obvious: through the slogans of Curve is the biggest beneficiary and no response is acquiescence, moral pressure is created in an attempt to make Curve cover the losses;

5. The chain of evidence is complete: tweets, screenshots, group chat records, forwarding network chains, etc., constitute the minimum threshold required for prosecution.

On the 29th, OneKey officially issued a statement to clarify that it has never instigated, organized or manipulated any KOL or user in any form to launch a public opinion attack on Curve or any project. OneKey will pursue legal responsibility for the malicious accusations and false statements spread by some individuals on the current social platform and will not tolerate them. In addition, the founder, Mr. Yishi, participated in the investment entirely in his personal capacity, which was his personal behavior. No official resources of OneKey were involved in the project. At the same time, all OneKey products are open source designs, without backdoors, and have been fully audited by professional security teams such as SlowMist.

On the 30th, OneKey founder Yishi posted a screenshot of being blocked by Curve Finance and captioned “Graduated”.

Conclusion: After the crisis, what remains is not an agreement, but cracks The Resupply incident started as a hacker attack and eventually evolved into a comprehensive crisis surrounding governance responsibilities, community communication, racial discrimination and brand ethics.

This is not the first time DeFi has been attacked, nor will it be the last. But it may be the first time that the community has been pushed into the position of loss bearer without a response from the hacker or an apology from the project.

In the DeFi world, the basis of trust is not in the white paper or the audit report, but in the project partys first response after the incident. Governance proposals may be able to repair the protocol, but they cannot repair the torn community. The protocol is still running, but trust is gone and will never come back.

This article is sourced from the internet: Resupply incident review: Hackers at large, users forced to fill holes, security incident turns into racial discrimination scandal

Related: After the TON tide recedes: Is it the bubble that has dispersed, or is it the eve of the sedimentation of the super port Original author: waynezhang.eth In the third quarter of 2024, the TON blockchain, with the help of Telegrams traffic portal, quickly exploded with the Tap-to-Earn mini-game, attracting hundreds of millions of users and creating a miracle of on-chain growth. At the same time, the TGE (token generation event) of multiple TON ecological projects also led to a strong wealth effect, making TON/Telegram the hottest narrative center of Web3. However, after the boom, TON is entering a cooling-off period that deserves vigilance. Similar to the past Web3 narrative, will the bubble settle or return to zero? Is it a temporary lull in traffic or a lack of value conversion? At this point, we hope to use detailed data, ecological evolution path and technology stack layout as entry points to re-evaluate whether TON…

Анализ ## crypto# defiОбмен #Руководство #Рынок #Токен #Инструмент #© Copyright NoticeМассив Pre How to access the website on-chain Next Tethers crazy moves: Under the trend of compliance, is the wildly growing king of stablecoins anxious? Related articles Поддержка $320 миллионов, проблеск белого рыцаря в кризисе Бибитс 6086cf14eb90bc67ca4fc62b 37 848 2 Sentiment in the cryptocurrency market remains fragile; even the positive news of the end of the US government shutdown 6086cf14eb90bc67ca4fc62b 15 871 Ethereum Interop Roadmap: How to Unlock the “Last Mile” to Mass Adoption 6086cf14eb90bc67ca4fc62b 17 696 Syncracy Capital deconstructs PumpFun: The imagination of platform equity and the reality of capital 6086cf14eb90bc67ca4fc62b 26 189 1 With the “fee switch” activated, will RESOLV become the next ENA?Recommended Articles 6086cf14eb90bc67ca4fc62b 25 755 4 Can the AI framework BSCAN become a new paradigm for encryption? 6086cf14eb90bc67ca4fc62b 33 299 1 1 комментарий Вы должны войти в систему, чтобы оставить комментарий! Немедленно войдите в систему #BeelieverKPN6HLL Гость Мило

5 месяцев назад Последние статьи UniSat Releases Phase Updates and Upgrades, Continuously Building the Bitcoin Ecosystem 11hrs ago 510 Jack Dorsey’s Company: 4,000 White-Collar Workers Are Being Replaced by AI 11hrs ago 512 Latest Stablecoin Report: Real Distribution and Flow Are Far More Important Than Supply 11hrs ago 408 Sui DeFi’s “Three-Engine” Revolution: How New Capabilities, New Assets, and New Programs Are Building the Future of On-Chain Finance? 11hrs ago 350 On-chain Investigator ZachXBT Confirms: Axiom Employees Exploited Internal Privileges for Insider Trading 11hrs ago 410 Популярные сайтыTempoGAIBLighterПланерПланкаRaylsBCPokerVooi Bee.com Крупнейший в мире портал Web3. Партнеры CoinCarp Binance CoinMarketCap CoinGecko Coinlive Доспехи Загрузите приложение Bee Network APP и начните путешествие по web3 Белая книга Роли ЧАСТО ЗАДАВАЕМЫЕ ВОПРОСЫ © 2021-2026. Все права защищены. Политика конфиденциальности | Условия предоставления услуг Скачать приложение Bee Network APP и начните путешествие по web3 Крупнейший в мире портал Web3 Партнеры CoinCarp Binance CoinMarketCap CoinGecko Coinlive Armors Белая книга Роли ЧАСТО ЗАДАВАЕМЫЕ ВОПРОСЫ © 2021-2026. Все права защищены. Политика конфиденциальности | Условия предоставления услуг Поиск ПоискInSiteOnChainСоциальнаяНовости Hot to you: Охотники за воздухом Анализ данных Криптознаменитости Детектор-ловушка Русский English 繁體中文 简体中文 日本語 Tiếng Việt العربية 한국어 Bahasa Indonesia हिन्दी اردو Русский