币界网报道：A week has passed since Resupply was stolen. On June 26, a security vulnerability occurred in the stablecoin "wstUSR market" of the DeFi protocol Resupply, resulting in a loss of about $9.6 million in crypto assets. "If you often walk by the river, you will get your shoes wet." DeFi OG player 3D posted rights protection videos on his Youtube channel for three consecutive days. Bijie.com contacted 3D and talked to him about a series of reviews after the theft as a witness of the loss. 3D is one of the users who participated in the mining of this protocol earlier. He is both a mining player and a content creator. In this interview, we heard his doubts, emotions, and some unspoken rules in this industry that are unwilling to be stated. He talked about Curve's "default endorsement", the passive response of the project to hackers, and the process of the community being blacklisted and humiliated when defending rights. Compared with the loss of money, in 3D's story, what made him feel chilled was the shaken confidence in the industry. He admitted that although he did not suffer the most losses, he was the most angry one - not because of money, but because of his identity as a user who was ignored and humiliated. His experience reflects the common dilemma of countless DeFi participants - unclear rights and responsibilities, no way to protect rights, and repeated concessions in moral bottom line. The following is the full content of the conversation: BlockBeats: Please give a brief self-introduction first. 3D: My name on the Internet is 3D. My main job is still mining by myself. I have been in the circle since the ICO round in 2017, but I really started to focus on DeFi and arbitrage since the DeFi Summer wave in 2020. At the same time, I also run a Youtube channel focusing on DeFi arbitrage - 3D Crypto Channel. BlockBeats: How much funds have been damaged so far? How to estimate or measure the actual scale of losses? 3D: The total scale of funds that can be seen at present is basically the size of the insurance pool - about 38 million US dollars. BlockBeats: What proportion of Chinese users are there this time? 3D: I am not very clear about this. However, the two people who stood up and spoke the loudest and earliest to defend their rights this time were indeed me and Yishi. We were the first to do so. Chinese users spoke more concentratedly, and of course there were some English users, but the overall volume was much smaller. During the period after Resupply was stolen, BlockBeats: What is the current solution? 3D: Simply put, our principal directly lost 15.5%. The community actually hopes that they will take action, after all, the total loss this time is about 10 million US dollars. A developer on their team paid about 1.5 million, and they took about 800,000 from the vault, just to show their appreciation, a total of just over 20%. Their attitude is like saying, "Look, we also lost money, don't pursue it anymore." But the question is why didn't you use this money to communicate with the hacker? For example, "If you return the money, we will give you this part as a white hat reward", wouldn't that make everyone happy? But they didn't do it at all. BlockBeats: Why did you choose this protocol to mine? 3D: I participated in the Resupply project around the beginning of April. At that time, I was browsing Twitter and saw someone I have been following for a long time posting related content. Later, I saw that Curve also retweeted it, which caught my attention. In hindsight, it is quite strange from the perspective of the project's operating logic. It does not seem to want to make money for itself, but more like helping Curve to "boost" the usage of crvUSD. Because crvUSD itself has no practical use, he forcibly created a use case through the design mechanism, and then used incentives to guide everyone to participate. From the perspective of us participants, this is like a big brother who wants to pull the platform data and asks his "little brother" to support the scene, and Curve did give him some endorsement, so we didn't think there was any problem at the time. For those of us who do mining or arbitrage, when we encounter a new project, we will first evaluate two key points: the first is the product itself, how does it work? Where does your money come from? The second is the background of the project party, that is, the so-called "on-site" and "off-site" information must be fully investigated. In my judgment at the time, the logic of the Resupply product was relatively simple and intuitive. BlockBeats: Who do you think should be held responsible after the incident? What key decisions did the Resupply team make after the incident? If compared with mature DeFi protocol platforms, what are the obvious differences in their response processes? 3D: I think the biggest problem they have in post-processing is that they have no sense of crisis response at all. They didn't even do the most basic things at the first time. Everyone can find this online, and Yu Xian has also mentioned it: they neither publicly called out to the hackers, nor issued an announcement to explain the situation, nor did they initiate any legal or accountability mechanisms - they didn't even try to communicate with the hackers, they just let it go. Other projects will at least issue announcements, suspend contracts, contact white hats, and try to recover funds, but they haven't done these basic operations. They just pretended it didn't happen. We also don't understand why the project party doesn't actively communicate with the community. The entire incident caused a loss of nearly 10 million, and one developer in their own team only paid about 1.5 million, plus about 800,000 from the project treasury, which only covered about 20% of the losses in total. No matter how you look at it, it's just a symbolic "meaning", a drop in the bucket. Their attitude was basically, "Look, we've already lost money, so stop bothering us." But the problem is that they could have used the money to negotiate with the hacker, saying that as long as you return the money, it will be a white hat reward, and everyone would be happy. But they didn't take that approach at all. 3D's message on the Resupply official forumIt is suggested to try to talk to the hacker with the white hat bonus, but there has been no response. The first point is that they are extremely passive in recovering the hacker's assets, or even completely inactive. It has been a few days since the incident happened last Thursday, and there is still no substantial progress. The second point is that their attitude towards the community is extremely arrogant and indifferent. When the incident happened, many of our users went to Discord to ask, but they directly defined it as "the people in the insurance pool will bear the loss", without even basic discussion space. We questioned their approach, saying that the document did not state that users need to bear such losses, but we were ridiculed, attacked, and even directly blocked. They also said, "You earn 17% annualized returns, so you have to bear the corresponding risks." This logic is completely untenable. We just participated in a strategy with an annualized return of 17%, which does not mean that we have to take full responsibility for the theft of the protocol. The feedback in our group is very consistent. It is not the loss of money that is the most uncomfortable, but the experience of being humiliated and blocked in Discord is more infuriating. There are two core reasons why this incident has caused such a strong reaction: the inaction of the project party and their contempt for users. If they really can't afford to pay, they can make their attitude clear, for example, take out 3 million first, and let all users share the remaining 7 million in proportion, which is better than now. But their way of dealing with it is to directly "take out" the users of the insurance pool to bear all the responsibility. The purpose of their doing so is also very clear, that is, to keep the protocol running and prevent the project from dying. The most ironic thing is that looking at the announcement they issued at the time, they hardly mentioned the amount of loss, but only lightly said that they encountered a loophole, suspended one market, and everything else was normal. This way of information disclosure is very irresponsible. What's more serious is that hackers minted 10 million stablecoins at zero cost through the loophole and sold them on the market, directly breaking the original over-collateralization mechanism, so that there is no longer enough asset support behind the stablecoin. In this case, the project party still did not suspend the agreement and let users withdraw their funds on their own. As a result, those users who ran fast withdrew, and those in the insurance pool were completely locked because of the 7-day delay in withdrawal. What's even more outrageous is that they have launched a new proposal to suspend withdrawals from the insurance pool and further freeze user assets. As for what they said, "bad debts should be borne by the insurance pool", there is no precedent in the DeFi protocol. They have once again broken the bottom line of the industry, and there is absolutely no governance rationality. BlockBeats: So has any project used this insurance pool to bear losses before? 3D: There is no insurance pool bearing black accounts. There are only three ways to participate in the Resupply project: staking, revolving loans, and forming LPs. In fact, from the perspective of user expectations, staking is the most stable group of people in it, but now they have to bear all the risks. The core problem lies in the user's expectations of the insurance pool. We all think that as long as we bear the bad debts caused by market fluctuations. I made an analogy about the insurance pool at the time. It may not be very accurate, but it is roughly this meaning. It's like you bought a wealth management product on Binance, and then Binance was stolen. It tells you, "Aren't you here to save money? Then everyone will bear the loss together, especially you users who bought wealth management." In the end, the loss is only deducted from the funds of the wealth management users, and others are not affected. In fact, some exchanges were stolen before, and all users borne the loss in proportion, but this time it was not. They only let financial management users bear all losses. Their logic is: "If you want to get 2% annualized interest, you have to take responsibility for it." Some people even say that "there is no free lunch in the world", which means that if you get 17% annualized income, you deserve to bear the loss of this theft. This statement is too outrageous. What role did Curve play in this storm? BlockBeats: You mentioned that you participated in Resupply because you trusted Curve. So what kind of relationship do you think exists between Resupply and Curve? Do you think Curve's "cut-off" attitude after the incident is reasonable? 3D: I think this can be divided into two levels. The first is the superficial logic-this project does serve Curve, and it also endorses Curve. It is also a project in the Curve ecosystem. But on the other hand, normal people with a little judgment will make a reasonable inference: you see that the design of this protocol is basically to provide services to Curve, to put it bluntly, it is a "little brother" role. Otherwise, its existence is almost meaningless. Its core logic is to use its own mining coins to subsidize Curve's protocol income. . You said that this kind of thing that does not seek returns and is purely a blood transfusion, unless it is true love, who would do it? Especially its tokens. At that time, I thought that this project would not last more than a month, because the overall story was not attractive. In the final analysis, it was just to bring some new volume to Curve's stablecoin, and there was no substantial content. But later you see, the price actually stabilized and remained stable for a long time. I was thinking at the time, who is supporting this? After thinking about it, the most reasonable explanation is that Curve itself is supporting it. Who benefits from it and who has the most motivation to stabilize the situation - this is common sense reasoning. Although there is no solid evidence, as long as you have a normal mind, you can probably think of this. Before the price trend of Resupply's native token did not go wrong, Curve loudly said that this was a good project. Now that something went wrong, it immediately distanced itself from it, saying "It's just an ecological project, it has nothing to do with me." This attitude is the same as some of the news we usually see: if something goes wrong, it is "done by temporary workers." Now even users like us have been banned. How serious do you think this matter has been? Without Curve’s endorsement, Resupply would not have been able to raise so much money. The reason we participated was not because of its development team - in fact, the team’s reputation is not good. If they were just doing a project alone, we would definitely not participate.There are two reasons why we really choose to participate: first, its business model is centered around Curve's stablecoin, which is equivalent to helping Curve grow logically, and this binding relationship makes people feel relatively safe; second, Curve officials also publicly acknowledged the project at the time and even endorsed it. As for your statement that the project party has a dark history, it does have one, but this time they did not change their vests, but continued to use their original identities to do the project, which is also a kind of "real name" responsibility to some extent. BlockBeats: Does Curve need to bear joint and several liability for its official publicity and endorsement of Resupply in this incident? How do you view the conflict of interest between the "post-clearance" and "pre-promotion" of the ecological party? 3D: I think Curve's "cutting" behavior after the incident is completely unreasonable. You think that even if I am a small KOL, if I have recommended a mining pool before, even if I have not collected a penny and have no interest relationship, if this mine has problems, I will speak out at the first time to tell the people who follow me what is wrong now, and I will follow up. Curve actively endorsed the project when it was running normally at the beginning, but when the project had problems, it had an attitude of "it has nothing to do with me", said a few words of "regret", and then washed its hands of it. Such behavior is really unacceptable. How can mining avoid pitfalls? BlockBeats: What is the biggest difficulty for DeFi users to protect their rights at present? 3D: The core of the problem lies in the unclear rights and responsibilities, coupled with the lack of supervision of the entire industry itself. In this case, it is actually very difficult to protect rights. If it is an American user, the situation may be slightly better. Because the United States has long-arm jurisdiction, it can pursue cross-border accountability through legal means, and it may even be possible to recover part of the funds and report losses to the government. But for us, there is basically no such channel. BlockBeats: So what are the current ways for these damaged big users to protect their rights? 3D: No, otherwise who would be willing to be a clown on the Internet? In the final analysis, we have no effective channels for protecting our rights. As long as the project party is determined to be irresponsible, users can only rely on themselves to speak out and organize actions. For me, although the economic loss of this incident is not large, I reacted particularly strongly because I think it is an insult. If all project parties hold this attitude, then this industry will not be able to continue. To be honest, this is really chilling. Today I was cheated, tomorrow it may be you, as long as you are still in this circle, you will always encounter similar things. As the old saying goes: "True heroism is to choose to love after seeing the truth." We can only look at this industry in this way. To solve the problem, on the one hand, the project party has a moral bottom line, and on the other hand, the industry also needs basic self-discipline. BlockBeats: What information will you focus on when the project is just launched or is still in the promotion period? 3D: When the project is just launched or is still in the promotion period, I usually focus on several aspects. The first is the business model. How does this project make money? Where does the profit come from? This is the most basic but also the most critical question. The second is the on-site information, that is, the operating mechanism of the protocol itself, such as whether the inflow and outflow of funds are smooth, whether there are "stuck points" - for example, whether there is a time lock for the inflow and outflow of funds, or whether a high handling fee is charged, which are directly related to user experience and risk. The third is off-site information. I want to see if the team has done any projects before, whether it is anonymous, whether it has investment institutions to support it, who is behind it, and whether I can get some background information. In addition, I will take the initiative to chat with the project party on Discord to see their response attitude and whether the team is reliable. Some people will look at the audit report, but I would like to remind you that many projects that have problems now have actually been audited. The audit can only show whether the project party is willing to spend money to go through the process, and it does not mean that the project is really safe. BlockBeats: Do you still have confidence in Curve's ecology, insurance mechanism, and stablecoin system? 3D: Curve's current situation is actually quite embarrassing. Its original ecological niche was mainly to solve the problem of Uniswap V2 in the depth of stablecoin transactions. Because V2's constant product market-making mechanism does not perform well between stablecoins, it takes a lot of funds to pull out the depth. At that time, Curve proposed a smoother curve design and focused on stablecoin exchange. It can be said that it relied on this differentiation to gain a foothold in DeFi from the beginning. As an infrastructure product, the logic is very clear. But now with the business pressure from Floyd, I think it is going downhill, but I still have confidence in the stablecoin system. I have been very anxious recently. Although my personal loss this time is not much, the biggest blow to me is not money, but confidence. I have been in this industry for a long time. I can’t say how much I love it, but at least I have invested in it for a long time. But now, I have begun to seriously doubt the sustainability of this industry - if all project parties are like this time, then this industry will not be able to continue at all. Yishi has withdrawn all mines, and now only plans to hoard Bitcoin and not touch anything else. You can imagine that our loss of 15.5% this time is equivalent to the annualized income of mining for one year directly returning to zero. What we originally did was a relatively low-risk strategy, not a high-leverage, daily profit-making method. Who can bear to earn 15 points in a year of hard work and now it’s gone in one day?