The Resupply protocol suffered 10M reUSD in bad debt when it was hacked earlier this week. The attack and technical details are out of scope for this document but can be found here.
Stolen funds remain on-chain. The situation is being monitored and necessary steps are being taken.
This document outlines a proposed set of governance actions aimed at eliminating protocol bad debt and providing retention incentives for affected users.
The team aims for a quick resolution on this matter, so please direct any feedback and conversation to this forum post.
Recovery Phase 1: Immediate Governance Actions
Insurance Pool (IP) Token Burn
At the time of writing, the total outstanding bad debt amount is 7,131,168 reUSD after 2,868,832 reUSD already paid by the Resupply Treasury, Convex Treasury, and C2tP.
This proposal specifies:
6,000,000 reUSD of bad debt to be burned via the insurance pool, or approximately 15.5% of the 38.7M reUSD currently in the insurance pool.
The protocol will carry ongoing bad debt to reduce the amount owed by the insurance pool. In total, this is 4M reUSD less than the original bad debt amount owed by the insurance pool.
The remainder of bad debt (1,131,168 reUSD) will be paid off over time by the DAO through a mix of future revenue sources such as but not limited to protocol fees and/or potential RSUP OTC sales program to be decided on at a later date by treasury or governance.
IP Withdrawal Period
Every effort is being made to shorten the period by which user funds are in mandatory lock-up in the Insurance Pool. To do this, Resupply’s voter will be updated to reduce the voting period on this proposal to 3 days.
By utilizing a shorter voting window, the DAO can enact a swift on-chain decision in regards to this proposal with the aim of doing good by depositors and reaching a final resolution within the original 7-day IP cooldown period.
The DAO may choose to extend the regular voting period back to 7 days following the conclusion of this post or explore other options such as different vote lengths for standard and emergency votes.
Recovery Phase 2: Insurance Pool Retention Program
Overview
The IP Retention Program is available for users who were depositors in the Insurance Pool at the time of the execution of this proposal and were slashed during Phase 1 above. It is not intended to offset the slashing, though it may or may not do so; it is instead intended to provide incentive to stay in the insurance pool post-slashing via additional streamed RSUP tokens. Opting in is the default option, but users can withdraw at any time if they decide not to participate.
Opting out will distribute that share of additional streamed RSUPs to those that remain.
The program requires contract development and will be enacted at a later date, once contracts are reviewed and deployed.
Source of Program Revenue
A dedicated RSUP emissions receiver will be created for the Retention Program.
If passed, this proposal commits the DAO to allocating a total of 2.5M RSUP to the receiver over the course of 52 weeks. A vast majority of this will come from treasury’s RSUP allocation.
Tentative Emissions, next 12 months
Note: Treasury “before” amount includes 541,851 accumulated/unclaimed treasury RSUP. 25% of borrow emissions going to Retention Program, remainder from treasury.
Target
Before
After
Borrow
2,875,000
2,156,250
Treasury
2,641,851
860,601
Conclusion
Insurance pool to be slashed by six million reUSD, and DAO to cover remainder of bad debt.
The slashing proposal will be enacted within three days after the governance vote is posted.
A retention program to be enacted in the future for slashed insurance pool participants.
I believe that everyone has been suffering since the incident. I respect the team and C2 for their just compensation and thank you from the bottom of my heart. I also think that the exploitation of the vulnerability in this incident has undoubtedly caused bad debts, and the insurance pool should definitely bear this bad debt. I am also sad and sorry for the offensive remarks on some social platforms that have hurt your team. But I hope you don’t care too much about these negative things. After all, these platforms are just a place for people to entertain and consume emotions. Let’s discuss this matter peacefully and rationally in this forum. According to previous hacking cases and theft cases of other projects, it is worth referring to the amount of bad debts borne by the victim users (insurance pool) of about 5%-10%. In other words, I hope the team can consider reducing the amount of bad debts borne by the insurance pool to about 2 million or 3 million? At the beginning, I learned about the resupply project from a channel called “Leviathan News” on YouTube. After watching the relevant videos, I thought you were all geniuses, so I participated in it. Although I have experienced this disaster, I still have to admit that resupply is really an excellent DeFi application, and I will continue to use it. Therefore, I hope that the resupply team will consider my proposal, which may bring more high-quality and confident users to resupply. Thank you again for all your efforts, sincerely
Regarding the Resupply Recovery Plan
After reviewing the current recovery plan, I propose an alternative approach for the community’s consideration to explore additional options before tapping into the insurance pool.
The current plan involves burning 6,000,000 reUSD from the insurance pool to cover the bad debt from the hack, representing 15.5% of the total 38.7M reUSD in the pool. While this is a viable solution, I believe we could try a less costly option first.
Alternative Proposal
Offer a white hat bounty of 2,868,832 reUSD to the hacker in exchange for returning the stolen funds.
Communicate on-chain (e.g., via a public message to the hacker’s known address) within a 72-hour initial timeframe, with flexibility to extend if negotiations show promise.
Rationale
Successful Precedents in DeFi:
In 2023, Euler Finance recovered all $200 million in stolen funds through negotiations.
dForce had nearly all of their $25 million returned by a hacker in 2020.
Allbridge recovered approximately 80% of their stolen funds via a similar bounty approach.
Low Risk: The 2,868,832 reUSD has already been raised, so this attempt incurs no additional cost. If unsuccessful, these funds can be redirected to the insurance pool or other recovery efforts.
Protecting Insurance Pool Users: A successful bounty would avoid the 15.5% loss to insurance pool contributors and reduce the DAO’s future debt burden.
Addressing Concerns: While offering a bounty may seem controversial, it’s a pragmatic approach that prioritizes community recovery, as proven by other DeFi projects.
Setting a Positive Precedent: This demonstrates the team’s commitment to exploring all solutions, reinforcing trust in the project.
Conclusion
While the team’s desire for a swift resolution is understandable, we should exhaust all options before using the insurance pool. A 72-hour bounty attempt, inspired by successful DeFi recoveries, is a low-risk, high-reward strategy. If it fails, we can seamlessly transition to the current plan, ensuring no loss of raised fun
