Resupply, a decentralized stablecoin protocol tied to major DeFi platforms Convex Finance and Yearn Finance, has suffered a $9.5 million exploit, raising further concerns about persistent security risks across the DeFi ecosystem.
Blockchain security firms BlockSec Phalcon and CertiK were among the first to detect and analyze the attack. The exploit involved exchange rate manipulation in a low-liquidity market, allowing the attacker to drain millions in crypto assets.
How the Exploit Unfolded
According to Phalcon, the attacker exploited a price manipulation vulnerability involving the cvcrvUSD token, using a technique that artificially inflated its value via targeted “donations” to a thin or empty liquidity pool. CertiK confirmed the tactic, noting that the attacker used a $4,000 USDC flashloan from Morpho to set the exploit in motion.
By manipulating the price denominator used in the protocol’s exchange rate calculation, the attacker exploited the contract’s use of floor division, causing the system to round the rate down to zero.
This allowed the hacker to borrow nearly $10 million in reUSD tokens against an insignificant amount of collateral—reportedly just one wei of cvcrvUSD—effectively bypassing all solvency checks. The attacker then swapped the stolen assets through Curve and Uniswap for USDC and WETH, netting a $9.5 million profit.
Exploit Traced to Tornado Cash
Security firm PeckShield identified the exploit’s entry point as a transaction on Cow Swap involving 2 ETH. The funds were then funneled through Tornado Cash for anonymity before being sent to the exploit contract. The attacker later extracted 1,581 ETH, distributing $5.56 million to one address and $4 million to another, according to CertiK.
Resupply Responds
Resupply confirmed the breach on its official X (formerly Twitter) account, stating that the affected market had been paused. The team assured users that all other operations remain unaffected and promised a detailed post-mortem in the coming days.
A Pattern of Growing DeFi Vulnerabilities
This latest breach comes on the heels of several major exploits across the crypto space. Just last week, Iranian crypto exchange Nobitex lost $49 million in an attack reportedly orchestrated by the pro-Israel hacker group Gonjeshke Darande. In May, Sui-based DEX Cetus was drained of approximately $223 million, marking one of the largest DeFi exploits of the year.
Additionally, cybercriminals are shifting tactics to target crypto data platforms like CoinMarketCap and Cointelegraph, deploying phishing pop-ups to drain wallets—highlighting the evolving landscape of threats facing the crypto industry.
