Resupply, a decentralized stablecoin protocol linked to major DeFi players Convex Finance and Yearn Finance, has suffered a $9.5 million exploit.
Blockchain security firms, including BlockSec Phalcon and CertiK, sounded the alarm, detailing an attack leveraging exchange rate manipulation in a low-liquidity market.
Exploit Details
According to Phalcon, the attacker artificially inflated the price of the cvcrvUSD token through targeted “donations” into an extremely thin or empty market. CertiK corroborated this information, adding that the hacker flashloaned $4,000 USDC from Morpho to initiate the exploit.
They then reportedly used the manipulated price as the denominator in the contract’s exchange rate calculation, and because the system used floor division, it allowed them to round down the rate to zero.
Afterwards, the bad actor is said to have borrowed nearly $10 million worth of reUSD tokens against a negligible amount of collateral, about one wei of cvcrvUSD, completely bypassing any solvency checks. Upon succeeding, they quickly swapped the tokens through Curve and Uniswap for USDC and wrapped Ethereum (WETH), generating a net profit in the region of $9.5 million.
Additional analysis from PeckShield indicated that the entry point for the exploit was a transaction on Cow Swap involving 2 ETH, which was then funneled into Tornado Cash for anonymity. After passing through the mixer, the attacker deposited the funds into the exploit contract before using it to trigger the vulnerability that allowed them to borrow and extract some 1,581 ETH.
In a post on X, CertiK noted that the exploiter moved about $5.56 million to one address and $4 million to another, consolidating the funds post-exploit.
Resupply has since confirmed the breach through its official X account. The platform announced it had paused the affected market but maintained that other operations would continue normally. It has also said it will provide a full post-mortem in the next few days.
A Broader Pattern
This latest attack comes just over a week after the $49 million breach of Iranian crypto exchange Nobitex, which was attributed to the pro-Israel hacker group “Gonjeshke Darande.”
Earlier in May, Sui-based DEX Cetus suffered a much bigger exploit, losing about $223 million. In that incident, the unknown culprit reportedly gained control of all SUI-denominated liquidity pools on Cetus before draining them.
Shortly after the attack, with the help of Sui validators, Cetus managed to freeze two wallets holding about $162 million worth of stolen cryptocurrencies. However, the thief was still able to bridge nearly $60 million worth of tokens to Ethereum, where they swapped them for ETH. The DEX has since initiated plans to compensate users affected by the attack.
At the same time, bad actors are increasingly targeting trusted crypto information and data platforms. Former Binance CEO Changpeng Zhao recently highlighted the trend, pointing to quick-fire attacks on CoinMarketCap and Cointelegraph to deploy wallet-draining phishing pop-ups, which was a move away from the more familiar direct hacking attempts on crypto exchanges.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
