Resupply hacked for $9.6M due to vulnerability—now asking users to foot the bill?
TechFlow Selected TechFlow Selected
Resupply hacked for $9.6M due to vulnerability—now asking users to foot the bill?
Yishi attacks Resupply: This is not a black swan event, it's man-made disaster, a severe negligence at the development level.
Navigating Web3 tides with focused insightsBy: 1912212.eth, Foresight News
In recent years, the rapid development of the DeFi sector has attracted countless investors and developers. However, its high-risk, high-reward nature frequently leads to serious issues—such as recurring hacking incidents that have plagued many on-chain investors and arbitrageurs. On June 27, the DeFi protocol Resupply suffered a critical security vulnerability that led to the theft of $9.6 million. This incident gained widespread attention in the community largely due to a public accountability campaign initiated by Wang Yishi (Yishi Wang), founder of OneKey.
As one of Resupply's major investors, Yishi publicly criticized the project team’s negligence and called for stakeholders to take responsibility. His actions sparked broad discussion within the community, even escalating into a heated confrontation with Michael Egorov, founder of Curve.
Contract Vulnerability Leaves User Funds Completely Drained
Resupply is an emerging DeFi protocol aiming to attract users and investors through innovative liquidity management and yield strategies. DeFi protocols typically use smart contracts to automate fund pool operations, allowing users to deposit crypto assets and earn returns. However, the complexity of these systems and potential code flaws often make them prime targets for hackers. Since launch, Resupply rapidly amassed significant capital and attention thanks to its high-yield promises and integrations with prominent DeFi projects like Curve, Convex, and Yearn. Prior to the hack, it managed hundreds of millions of dollars in assets.
Wang Yishi, founder of cryptocurrency wallet company OneKey, was among Resupply’s top three investors. According to his public statements on X, he personally invested millions of dollars into Resupply. The attack caused not only substantial financial loss but also severe psychological stress.
According to Yishi’s analysis, the root cause lies in Resupply’s failure to burn initial shares when deploying a new vault, resulting in an “inflationary minting vulnerability” in the ERC-4626 standard within the smart contract. This flaw allowed attackers to mint unlimited tokens at zero cost, enabling them to drain all assets from the vault.
Yishi commented: "This isn’t a black swan event—it’s man-made disaster, a grave oversight at the development level." He emphasized that this wasn't a sophisticated external exploit, but rather a basic coding error during deployment. Such mistakes are particularly fatal in DeFi because the immutability of smart contracts means losses are nearly irreversible once exploited.
Silence, Censorship, and Attempts to Shift Losses Onto Investors
Hacking incidents occur constantly across blockchains, DeFi protocols, and exchanges. In most cases, official teams promptly respond and immediately communicate with attackers. However, Resupply’s handling of the situation has been baffling—remaining silent toward the hacker and failing to conduct technical forensics or white-hat bounty efforts to this day.
Yishi revealed that instead of launching an investigation or reporting the crime, the team attempted to shift the losses onto investors via an insurance pool, while simultaneously silencing critics in the official Discord server. When Yishi raised reasonable questions as a major investor, he was unexpectedly banned—an act he described as “shocking and infuriating.”
The latest proposal shows the project intends to cover bad debt using the insurance pool
In response to Resupply’s inaction and suppression of dissent, Yishi chose to speak out publicly on X. He published a detailed post outlining the incident and directly criticizing the team’s negligence. He stressed that insurance pools are designed to handle unpredictable black swan events—not to cover up fundamental development errors. He questioned: "If developer mistakes can always be paid for by users, then this so-called insurance is nothing more than robbing the rich to pay the poor."
Yishi’s advocacy extended beyond Resupply to include well-known DeFi partners such as Curve, Convex, and Yearn. He argued that these projects benefited from increased exposure and revenue by providing liquidity support and endorsements to Resupply, and thus should not remain indifferent after the incident. Particularly Curve, whose stablecoin crvUSD played a key role in Resupply’s vaults. Yishi urged these projects’ developers and treasuries to jointly bear compensation responsibilities to reimburse investors.
Public data indicates that related protocols have lost around $10 million annually in recent years, fueling community suspicions of insider misconduct.
-
2021 – Yearn Finance: ~$11 million lost due to a logic flaw in the contract; attacker used flash loans to manipulate unprotected liquidity and profit from the pool.
-
March 2023 – Yearn Finance: ~$1.4 million lost indirectly due to Euler Finance hack; no vulnerability in Yearn’s own contracts.
-
April 13, 2023 – Yearn Finance: ~$11.6 million lost due to misconfiguration in early iearn yUSDT contract, which pointed to USDC instead of USDT. Attacker minted large amounts of yUSDT and cashed out.
-
March 28, 2024 – Prisma Finance: ~$10 million stolen due to permission and logic flaws; attacker deployed malicious contracts and exploited function access and call defects.
-
June 26, 2025 – Convex Finance (Resupply sub-DAO): ~$10 million stolen due to business logic flaws in the Resupply sub-DAO contract; attacker exploited insufficient permission checks and fund transfer validation.
Additionally, Yishi criticized the Resupply team’s communication attitude, stating they lacked transparency and even mocked and banned dissenting investors—a serious betrayal of community trust. He called on Resupply to create a fair resolution plan and return losses caused by technical errors back to users.
Shortly afterward, Yishi received private messages containing racially offensive mimicry such as "ching chong," sparking widespread outrage in the Chinese-speaking community.
Conflict Escalates: Clash with Curve’s Founder
Yishi’s public campaign quickly escalated into a direct conflict with Curve founder Michael Egorov. Prior to this, Curve Finance had issued an official statement regarding the security incident: "Although Resupply was not developed by Curve’s team, we believe the creators of Resupply are capable and experienced, and trust they will do their utmost to resolve the issue."
However, the matter did not end there.
Yishi revealed that Michael privately threatened to sue him, claiming his statements had "damaged Curve’s reputation." This news triggered intense debate on X, with many arguing that as a partner of Resupply, Curve should share some responsibility rather than resorting to legal threats to silence criticism.
Yishi responded on X: "Michael says he’ll sue me for defaming Curve’s reputation. What kind of behavior is that? Are honest people just supposed to accept being bullied?" He added that while he respects Michael’s attempts to mediate, he won’t back down from demanding accountability.
As the situation intensified, some users began associating Yishi’s personal campaign with the OneKey brand, accusing OneKey of "orchestrating舆论 attacks" against Resupply. In response, OneKey issued a formal statement on June 29 on X, clarifying that the company had neither participated in nor influenced any such campaigns. It emphasized that Yishi’s actions were strictly personal investment-related and unrelated to OneKey’s business operations.
Summary
The Resupply incident reflects not only Yishi’s individual fight for justice but also highlights broader challenges facing the DeFi industry amid rapid growth. First, smart contract security remains a core challenge. While Resupply’s vulnerability may seem basic, similar incidents are common in DeFi. In 2024 alone, global crypto losses from hacks and scams exceeded $2.2 billion, underscoring the urgent need for improved industry-wide security standards.
Second, Resupply’s crisis response exposed shortcomings in DeFi project governance. A lack of transparency, suppression of dissent, and attempts to shift blame not only erode investor trust but could also inflict long-term, irreparable damage on the project. Yishi’s campaign reminds the community that investors have the right to demand accountability for technical failures—and that losses should not simply be passed on to users.
Finally, the incident has sparked debate over shared responsibility among DeFi ecosystem partners. Projects like Curve and Convex were drawn into controversy due to their associations with Resupply, revealing how interconnectedness—while a strength of DeFi—can also amplify risks. Moving forward, defining clear accountability frameworks within ecosystem collaborations will be a critical challenge for the DeFi industry.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
Foresight News
