Resupply DeFi Protocol Loses $9.6 Million in Price Manipulation Attack

Decentralized finance (DeFi) protocol Resupply confirmed a security breach in its wstUSR market, resulting in approximately $9.6 million in crypto losses. The exploit was triggered by a price manipulation attack involving the protocol’s integration with a synthetic stablecoin called cvcrvUSD.

Cyvers, a blockchain security firm, reported that the attacker exploited a price manipulation bug in the ResupplyPair contract. By inflating the share price, the attacker borrowed $10 million reUSD using minimal collateral. The stolen funds were subsequently swapped to Ether (ETH) and split across two addresses, with the attacker being funded through Tornado Cash.

The incident underscores the ongoing security concerns in DeFi protocols, particularly those involving synthetic assets and oracle-dependent mechanisms. Several security measures, such as proper input validation, oracle checks, and edge-case testing, could have potentially prevented the attack. Adding sanity checks in the lending logic and monitoring real-time anomalies could also help protocols avoid similar hacks.

In response to the exploit, Resupply issued a statement acknowledging the incident and confirming that only its wstUSR market was affected. The DeFi protocol paused the impacted contracts to prevent further damage and announced that a full post-mortem analysis would be shared once completed.

The price manipulation exploit on Resupply comes at a time when hack losses have reached billions this year. Over $2.1 billion had already been stolen through hacks and exploits in 2025, according to a report by a crypto security firm. Hackers have started to shift tactics to social engineering, highlighting the evolving nature of threats in the crypto space.