Resupply Stablecoin Protocol Hit by $9.5M Exploit via Token Price Manipulation

Highlights:

• Token price manipulation led to the smart contract attack on Resupply Stablecoin Protocol, which lost $9.5 million.
• The attacker inflated cvcrvUSD’s value and borrowed reUSD using minimal collateral.
• Resupply has paused the affected contract and launched an ongoing investigation.

Resupply, a stablecoin platform, has experienced an attack breach of its system worth $9.5 million attributed to a manipulated price feed. The attacker used a vulnerability in the smart contract logic of the platform and allowed borrowing at negligible collateral. The WstUSR market of the protocol became the primary victim of the breach.

On June 26, a piece of suspicious activity was reported by the security platform BlockSec Phalcon. Shortly afterward, Resupply confirmed a breach of its CurveLend-style ResupplyPair contract. The hacker targeted cvcrvUSD, a wrapped form of the crvUSD token of the Curve protocol staked in Convex Finance.

Yet another lending protocol exploited via exchange rate manipulation on low-liquidity—even empty—markets!

Specifically, attackers artificially inflated #cvcrvUSD's share price through donations. @ResupplyFi's ResupplyPair contract (https://t.co/yo2N5lScHi, created ~2h ago) uses… https://t.co/MelEYFLr98 pic.twitter.com/2qXC9IiREL

— BlockSec Phalcon (@Phalcon_xyz) June 26, 2025

The exploit began with targeted “donations” to the cvcrvUSD vault, inflating the token’s share price. Resupply Stablecoin Protocol’s smart contract utilized this price in calculating the exchange rate. In addition, the rate was rounded down since the contract employed floor division in its logic.

By using this zero-rate calculator, the attacker was able to borrow almost $10 million in reUSD by only depositing one wei of cvcrvUSD. Furthermore, the distortion in the exchange rate enabled the protocol to discharge funds without insolvency protection being invoked.

How the Exploit Unfolded Step by Step

The hacker had originally taken a flash loan of $4,000 in USDC through Morpho. The price manipulation of cvcrvUSD in an ERC4626 wrapper was financed through that loan. This wrapper was later determined by security analysts to be a price oracle in the CurveLend contract.

The attacker compromised the share price of the vault using just two crvUSD tokens. Borrowing capacity in the contract of Resupply was calculated based on that inflated value. This faulty reasoning also enabled them to evade checking on solvency. Once the attacker obtained the reUSD, they swapped it on Curve and Uniswap with assets such as WETH and USDC. Blockchain tracking firms established that funds were transferred to two wallet addresses totaling more than $9.5 million. According to PeckShield, this operation was initiated with only 2 ETH on the Cow Swap.

Moreover, the funds were later transferred via Tornado Cash to disguise the identity of the attacker. Most of the movement occurred within a small time slot, according to security teams. After the exploit, Resupply suspended the compromised contract and initiated an internal investigation.

Resupply has experienced an exploit in the wstUSR market. The affected contract has been identified and paused. Only the wstUSR market was impacted and the protocol continues to function as intended. A full post-mortem will be shared as soon as a complete analysis of the…

— Resupply (@ResupplyFi) June 26, 2025

Broader DeFi Exploit Trends Continue in June

The Resupply Stablecoin Protocol’s exploit reflects a wider pattern of price manipulation exploits in low-liquidity DeFi ecosystems. Recently, such tactics have been applied in protocols such as Meta Pool and GMX/MIM Spell. Faulty oracles and errors in the logic of floor division were also shared in these instances.

This recent exploit comes in the wake of Hacken’s breach on June 21, whereby attackers minted 900 million HAI tokens across Ethereum and BSC. Hacken suspended its token bridges in order to avoid making more losses. In addition, the price of HAI depreciated by 97% instantly after the exploit, clearing almost all its value in the market.

According to security researchers, DeFi projects need to work on oracle systems and limit reliance on thin markets to determine prices. Resupply has not yet made any announcements about user reimbursement or fund recovery. However, a full post-mortem has been promised upon investigation completion.