Resupply Protocol Loses $9.6 Million in Cryptocurrency Exploit

A recent exploit targeted the Resupply protocol, resulting in a significant theft of cryptocurrency. The incident involved interest rate manipulation within the Controller contract, identified by a blockchain security firm. The stolen assets were reportedly laundered using Tornado Cash, a privacy-focused service known for its ability to obscure the trail of cryptocurrency transactions.

The attack on the Resupply protocol involved a sophisticated manipulation of interest rates within its Controller contract. This flaw allowed attackers to devalue assets and drain multiple vaults, resulting in the loss of millions in cryptocurrency. The security firm SlowMist, known for its forensic investigations and breach analysis, was instrumental in identifying the exploit. The attack leveraged a vulnerability in the Controller contract logic, enabling hackers to manipulate interest rates and cause a devaluation that facilitated the draining of assets from Resupply vaults. Despite the severity of the incident, no official statements have been released by Resupply’s leadership or project contributors.

Yu Xian, Founder of SlowMist, commented on the incident, highlighting the persistent risks and vulnerabilities within DeFi systems. The exploit has had a significant impact on holders of the affected tokens, with an immediate market reaction evidenced by a reduction in total value locked. This incident has escalated concerns over DeFi protocol security, reflecting on past incidents involving other platforms. The breach underscores an ongoing trend of security challenges within DeFi platforms, compelling protocol designers to enhance contract review procedures. The need for better security practices across the industry is evident to prevent similar attacks in the future.

On June 26, 2025, the decentralized stablecoin protocol Resupply suffered a significant security breach, resulting in an estimated loss of approximately $9.6 million in cryptocurrency. The exploit involved an attacker manipulating the price of cvcrvUSD, a wrapped version of Curve USD (crvUSD) staked on Convex Finance. By sending donations to the protocol, the attacker was able to distort exchange rates and trigger a zero exchange rate bug, allowing them to borrow millions with minimal collateral. The attack hinged on a floor division flaw within the protocol, which permitted the attacker to borrow $10 million in reUSD using nearly zero collateral. This flaw was exploited by manipulating token prices in Resupply's low-liquidity market, enabling the attacker to convert the borrowed assets into USDC and WETH. The attacker's strategy involved sending donations to the protocol, which allowed them to manipulate the price of cvcrvUSD and subsequently drain funds from the protocol.

The security breach was confirmed by Resupply, which acknowledged the exploit in its wstUSR market. The decentralized finance (DeFi) protocol has since taken steps to address the vulnerability and prevent similar incidents in the future. The incident highlights the ongoing challenges faced by DeFi protocols in securing their platforms against sophisticated attacks. The exploit underscores the importance of robust security measures in the DeFi ecosystem. As DeFi protocols continue to gain popularity, they become increasingly attractive targets for hackers seeking to exploit vulnerabilities. The Resupply incident serves as a reminder of the need for continuous vigilance and proactive security measures to protect against such threats.

The attack on Resupply is not an isolated incident, as other DeFi protocols have also fallen victim to exchange rate-related vulnerabilities. These incidents highlight the need for improved security protocols and better risk management practices within the DeFi ecosystem. As the industry continues to evolve, it is crucial for DeFi protocols to prioritize security and implement measures to safeguard user funds and maintain trust in the ecosystem. Market analysts predict long-term effects on investor confidence in DeFi protocols. Regulatory scrutiny may increase, pressuring platforms to adhere to more rigorous security standards. The incident also draws attention to the utility of Tornado Cash in laundering stolen assets, emphasizing the need for better tracking and auditing tools.