Curve and OneKey Statement: Unpacking the $9.6 Million Loss in Resupply Protocol
Overview of the $9.6 Million Loss in the Curve Ecosystem's Resupply Protocol
The decentralized finance (DeFi) ecosystem recently faced a major setback when a price manipulation attack on the Resupply protocol within the Curve ecosystem resulted in a $9.6 million loss. This incident has sparked widespread discussions about technical vulnerabilities, governance issues, and the ethical use of insurance pools in DeFi. Below, we explore the technical flaws that enabled the attack, the responses from key stakeholders, and the broader implications for the DeFi space.
Technical Vulnerabilities in the ERC4626 Vault Deployment
The root cause of the attack was a critical vulnerability in the deployment of the ERC4626 vault. Specifically, the failure to burn initial shares during the vault's deployment created a loophole that attackers exploited. This oversight allowed malicious actors to mint unlimited shares at near-zero cost, effectively draining the vault of its assets.
How the Attack Was Executed
The attackers leveraged the flawed share-minting mechanism to manipulate the price and drain the vault. By minting shares at negligible costs, they were able to siphon off funds without triggering immediate alarms. This incident underscores the importance of rigorous testing, comprehensive audits, and proactive monitoring in DeFi protocols to prevent such catastrophic losses.
Accountability and Responsibility: Yishi's Criticism of Resupply and Associated Projects
OneKey founder Yishi, a prominent investor in Resupply, publicly criticized the project team for what he described as technical negligence and a lack of accountability. He argued that the team failed to address critical vulnerabilities and did not take adequate measures to safeguard user funds.
Ethical Concerns Over Insurance Pool Usage
Yishi also raised ethical concerns about the use of the insurance pool to cover the losses. He contended that insurance pools are designed to handle black swan events, not preventable technical errors. Shifting the burden of such errors onto insurance pool depositors, he argued, is both unethical and impractical. This criticism has ignited broader debates about the ethical and practical use of insurance mechanisms in DeFi.
Yishi's Call for Action: Demands for User Fund Recovery
In his public statement, Yishi called on Curve, Convex, and Yearn—projects that supported and benefited from Resupply—to take responsibility for the incident and return user funds. He emphasized the importance of prioritizing asset recovery to ensure affected users are compensated for their losses.
Allegations of Governance Issues
Yishi further accused the Resupply team of banning critics in their Discord community, raising concerns about governance and transparency. These allegations highlight the challenges of maintaining accountability and open communication in decentralized systems.
Curve's Official Response to the Incident
Curve responded to the incident by clarifying that Resupply was not developed by their team. However, they expressed confidence in the creators of Resupply to address the issue and recover the lost assets. Curve also reiterated the role of the insurance pool in mitigating risks and emphasized their commitment to asset recovery wherever possible.
The Role and Purpose of Insurance Pools in DeFi Protocols
Insurance pools are a cornerstone of DeFi ecosystems, designed to provide a safety net for users and mitigate risks. However, the Resupply incident has raised critical questions about their ethical use. Should insurance pools cover losses caused by technical errors, or should they be reserved for unforeseen black swan events? This debate is likely to shape future discussions on risk management in DeFi.
Broader Implications for the DeFi Ecosystem
The Resupply incident serves as a stark reminder of the risks inherent in DeFi protocols. It highlights the urgent need for:
Rigorous Security Measures: Comprehensive audits and proactive monitoring to identify and address vulnerabilities before deployment.
Transparent Governance: Open communication and accountability to build trust and prevent governance-related controversies.
Ethical Risk Management: Clear guidelines on the use of insurance pools to ensure fairness and avoid shifting undue burdens onto users.
Lessons Learned
Technical Audits: Rigorous testing and auditing are essential to prevent vulnerabilities that could lead to financial losses.
Governance Transparency: Transparent and open communication can help build trust and address governance-related concerns.
Ethical Practices: The ethical use of insurance pools must be clearly defined to ensure they serve their intended purpose without exploiting users.
Conclusion
The $9.6 million loss in the Curve ecosystem's Resupply protocol has exposed critical vulnerabilities and governance challenges in DeFi. While the incident underscores the risks of decentralized systems, it also offers valuable lessons for improving security, governance, and risk management. As the DeFi space continues to evolve, stakeholders must work collaboratively to address these issues, prioritize user protection, and build a more secure and trustworthy ecosystem.
© 2025 OKX. This article may be reproduced or distributed in its entirety, or excerpts of 100 words or less of this article may be used, provided such use is non-commercial. Any reproduction or distribution of the entire article must also prominently state: “This article is © 2025 OKX and is used with permission.” Permitted excerpts must cite to the name of the article and include attribution, for example “Article Name, [author name if applicable], © 2025 OKX.” Some content may be generated or assisted by artificial intelligence (AI) tools. No derivative works or other uses of this article are permitted.
Related articles
View more
