Stablecoin platform Resupply suffered a major exploit worth $9.5 million after an attacker manipulated the price of a key collateral token, security firms reported.
The attack targeted cvcrvUSD, a wrapped version of Curve USD (crvUSD) staked on Convex Finance. By sending donations to the cvcrvUSD vault, the attacker inflated the token’s share price.
This inflated price was then used as collateral to borrow Resupply’s native stablecoin, reUSD, at a highly favorable exchange rate.
The Resupply smart contract involved, ResupplyPair (CurveLend: crvUSD/wstUSR), used the manipulated cvcrvUSD price in its calculations.
Once the attacker borrowed the reUSD, the manipulated exchange rate collapsed, triggering a major devaluation of the protocol’s reserves.
Analysts at Blocksec noted that the attacker primarily drained funds from the wstUSR market by exploiting the flawed price logic in the borrowing function.
The stolen reUSD was then swiftly converted into other crypto assets on external markets.
“As a result, the attacker borrowed massive reUSD with just 1 wei of cvcrvUSD as collateral, bypassing the insolvency check,” Blocksec wrote on X.
Resupply acknowledged the breach in a statement and confirmed that the compromised contract has been paused. The team is investigating the incident and has not yet confirmed any recovery plans.
“A full post-mortem will be shared as soon as a complete analysis of the situation has been conducted,” the team wrote.
On Wednesday, Fuzzland disclosed that a $2 million exploit targeting Bedrock’s UniBTC protocol in September 2024 was carried out by a former employee posing as an MEV developer.
The attacker used social engineering, inserted malware via a trojanized Rust crate, and maintained undetected access to engineering systems for over three weeks.
The breach culminated in the UniBTC protocol being exploited shortly after Fuzzland discussed a security vulnerability.
Notably, in the first three months of 2025, the crypto ecosystem lost a whopping $1,635,933,800 across 39 incidents, according to the blockchain security platform Immunefi.
Most of that was the result of only two hacks of two centralized exchanges. Phemex suffered a $69.1 million loss in January, while Bybit lost $1.46 billion in February.
Subsequently, the total number of losses in the first quarter marks a 4.7x increase compared to Q1 2024. At that time, hackers and fraudsters stole $348,251,217.
Notably, experts assume that the infamous North Korean Lazarus Group is behind the two largest attacks. They stole $1.52 billion, or 94% of total losses.
