26.06.2025 09:13

A decentralized stablecoin protocol, Resupply, suffered a significant exploit resulting in a loss of approximately $9.5 million. This incident highlights vulnerabilities within the DeFi ecosystem, impacting prominent players like Convex Finance and Yearn Finance, which are connected to the Resupply protocol. Security firms, including BlockSec Phalcon and CertiK, swiftly identified the attack's method.

The exploit involved a sophisticated manipulation of the cvcrvUSD token's exchange rate. Exploiting a thinly traded market, the attacker strategically inflated the token's price through calculated "donations." This artificial price surge, confirmed by both BlockSec Phalcon and CertiK, was the cornerstone of the attack. Furthermore, the attacker leveraged a flash loan of $4,000 USDC from Morpho to initiate their malicious activity.

Crucially, the attack exploited a flaw in the protocol's exchange rate calculation. By using floor division, the manipulated, artificially high price of cvcrvUSD was effectively rounded down to zero. This allowed the attacker to borrow nearly $10 million worth of reUSD tokens with negligible collateral – a single wei of cvcrvUSD – bypassing all solvency checks. The attacker then seamlessly converted the ill-gotten reUSD into USDC and wrapped Ethereum (WETH) via Curve and Uniswap, realizing a profit near $9.5 million.

PeckShield's analysis traced the initial transaction back to a Cow Swap interaction involving 2 ETH, subsequently laundered through Tornado Cash to obscure the attacker's identity. After passing through the mixer, the attacker deposited these funds into the exploit contract, triggering the vulnerability and withdrawing approximately 1,581 ETH. CertiK's post on X revealed the attacker subsequently moved the stolen funds to two separate addresses, totaling roughly $9.56 million.

Resupply acknowledged the breach via its official X account, temporarily suspending the compromised market while assuring the continued functionality of other protocol operations. Further details regarding the platform's response and plans for remediation are forthcoming.