Resupply confirmed the exploit, paused the impacted wstUSR market, and said the stolen funds were laundered through Tornado Cash and split across multiple wallets.
A hacker drained $9.6 million from Resupply, a decentralized stablecoin protocol linked to major DeFi players Convex Finance and Yearn Finance. They did it by manipulating token prices to exploit a critical vulnerability in the platform’s exchange rate calculations.
The attacker artificially inflated the price of the cvcrvUSD, or Curve Vault for CurveUSD, token through targeted “donations” into an extremely thin market. Then they leveraged this manipulated price to borrow nearly $10 million worth of reUSD tokens against just one wei of collateral, according to blockchain security firm Phalcon.
The exploit is the latest in a string of major crypto security breaches that have cost the industry over $2.1 billion this year, pointing to persistent vulnerabilities in decentralized finance protocols despite growing security awareness.
“The attacker manipulated token prices, triggering a bug (zero exchange rate) in Resupply’s smart contract, letting them borrow a ton of money for almost nothing,” Hakan Unal, senior security operations lead at Cyvers, told Decrypt.
This zero exchange rate allowed the attacker to completely bypass solvency checks and borrow massive amounts with negligible collateral.
After securing the loans, they quickly swapped the tokens through Curve and Uniswap for USDC and wrapped Ethereum, generating their $9.5 million profit.
“Users should avoid reUSD vaults and withdraw funds if possible,” Unal advised.
Additional analysis from PeckShield revealed the attack’s entry point: a transaction on Cow Swap involving 2 ETH, which was then funneled through anonymous coin mixer Tornado Cash for anonymity.
Cow Swap is a decentralized exchange that enables users to trade crypto without front-running protection. The attacker ultimately extracted approximately 1,581 ETH from the protocol.
“Resupply has experienced an exploit in the wstUSR market,” the platform confirmed the breach through its official X account. “The affected contract has been identified and paused. Only the wstUSR market was impacted and the protocol continues to function as intended.”
The platform announced it had paused the affected market while maintaining normal operations elsewhere, promising “a full post-mortem will be shared as soon as a complete analysis of the situation has been conducted.”
CertiK reported the exploiter moved approximately $5.56 million to one address and $4 million to another, consolidating the stolen funds across two wallets containing 2.2K ETH and 1.6K ETH respectively.
The Resupply exploit continues a troubling pattern of major crypto breaches this year.
Just over a week earlier, Iranian crypto exchange Nobitex suffered a $49 million breach attributed to the pro-Israel hacker group “Gonjeshke Darande.”
The group used provocatively named wallet addresses and effectively burned the stolen funds to make a political statement rather than profit from the theft.
