26.06.2025 10:41

A decentralized stablecoin protocol, Resupply.Fi, suffered a significant exploit resulting in approximately $9.6 million in losses. The attack, initially reported by Cyvers Alerts on X, involved the manipulation of the wstUSR market within the Resupply platform. Critically, the attacker's initial funds originated from the cryptocurrency mixer, Tornado Cash, highlighting the ongoing challenges posed by such services in tracking illicit activity.

Exploiting a vulnerability in Resupply's code, the attacker manipulated the crvUSD price, artificially driving the exchange rate with the reUSD pair to zero. This manipulation allowed for virtually cost-free borrowing, enabling the attacker to drain significant funds from the system. Following the exploit, the stolen funds were converted into Ethereum and subsequently transferred to two currently untraceable wallets.

Resupply.Fi swiftly responded to the incident, announcing on X that they had identified and paused the affected contract within the wstUSR market. The protocol emphasized that this exploit was isolated to the wstUSR market and that other aspects of the platform continue to operate normally. A comprehensive post-mortem analysis is currently underway and is expected to be released soon, aiming to shed further light on the nature of the vulnerability and the subsequent mitigation strategies.

While the platform assures users of its overall functionality outside of the paused wstUSR market, the incident underscores the persistent risks inherent in decentralized finance (DeFi). The use of Tornado Cash, known for its privacy-enhancing features, further emphasizes the need for enhanced security protocols and more effective methods of tracing illicit cryptocurrency transactions from internet sources. The $9.6 million loss serves as a stark reminder of the evolving challenges faced within the DeFi ecosystem.