Hacker Drain $9.6 Million From Resupply Via Exchange Rate Bug

A hacker successfully drained nearly $9.6 million from Resupply, a decentralized stablecoin protocol, by exploiting a vulnerability in its exchange rate system tied to the cvcrvUSD token. The attacker manipulated token prices in Resupply's low-liquidity market, triggering a zero exchange rate bug that allowed them to borrow millions with just one wei of collateral. This exploit highlights the persistent vulnerabilities in decentralized finance protocols despite growing security awareness.

The attacker artificially inflated the price of the cvcrvUSD token through targeted "donations" into an extremely thin market. By leveraging this manipulated price, they were able to borrow nearly $10 million worth of reUSD tokens against minimal collateral. This zero exchange rate allowed the attacker to bypass solvency checks and borrow massive amounts with negligible collateral. After securing the loans, they quickly swapped the tokens through Curve and UniswapUNI-- for USDC and wrapped EthereumETH--, generating their $9.5 million profit.

Resupply confirmed the exploit and paused the impacted wstUSR market. The platform stated that only the wstUSR market was affected and that the protocol continues to function as intended. They also mentioned that the stolen funds were laundered through Tornado Cash and split across multiple wallets. The platform promised a full post-mortem analysis once a complete investigation is conducted.

Additional analysis from PeckShield revealed the attack's entry point: a transaction on Cow Swap involving 2 ETH, which was then funneled through the anonymous coin mixer Tornado Cash for anonymity. The attacker ultimately extracted approximately 1,581 ETH from the protocol. CertiK reported that the exploiter moved approximately $5.56 million to one address and $4 million to another, consolidating the stolen funds across two wallets containing 2.2K ETH and 1.6K ETH respectively.

This exploit is part of a troubling pattern of major crypto breaches this year. Just over a week earlier, a crypto exchange suffered a significant breach attributed to a hacker group. The group used provocatively named wallet addresses and effectively burned the stolen funds to make a political statement rather than profit from the theft. This incident underscores the need for enhanced security measures in the decentralized finance ecosystem to prevent such exploits in the future.