Hacker exploits flaw in Resupply DeFi protocol to steal $9.6 million

A hacker identified a flaw in the Resupply decentralized finance (DeFi) protocol early Thursday that helped them siphon off nearly $9.6 million in digital assets. The attacker reportedly manipulated token prices through a smart contract vulnerability. According to blockchain security analysts, Resupply, a DeFi stablecoin platform integrated with Convex Finance and Yearn Finance, was the main target of the exploit. The attacker used an elaborate price manipulation tactic on cvcrvUSD, a token tied to Convex, to deceive the system and obtain a loan using virtually worthless collateral. Smart contract bug leads to zero exchange rate The main point of the breach was found at the ResupplyPair contract, deployed Thursday at Ethereum address “ 0x6e…6bd6″ . The contract used the price of cvcrvUSD to calculate an internal exchange rate for collateralized lending. Yet another lending protocol exploited via exchange rate manipulation on low-liquidity—even empty—markets! Specifically, attackers artificially inflated #cvcrvUSD ‘s share price through donations. @ResupplyFi ‘s ResupplyPair contract ( https://t.co/yo2N5lScHi , created ~2h ago) uses… https://t.co/MelEYFLr98 pic.twitter.com/2qXC9IiREL — BlockSec Phalcon (@Phalcon_xyz) June 26, 2025 The attacker used this dependency by artificially inflating the cvcrvUSD token’s price through coordinated donation transactions. When the token’s value surged, the price input in the ResupplyPair contract soared. However, a flaw in the protocol’s code, specifically the use of floor division, caused the exchange rate to round down to zero once the price moved past a measured threshold. With the exchange rate set to zero, the attacker was able to borrow a massive amount of Resupply’s native stablecoin, reUSD, using only 1 wei of cvcrvUSD as collateral. The platform’s insolvency checks, which rely on this exchange rate, were effectively bypassed. “ The attacker manipulated token prices, triggering a bug (zero exchange rate) in Resupply’s smart contract, letting them borrow a ton of money for almost nothing ,” explained Hakan Unal, senior security operations lead at blockchain risk firm Cyvers. Tornado Cash used for transaction anonymity Blockchain activity shows the hacker initially funded their wallet through Tornado Cash, a decentralized privacy protocol mixer that criminals use to hide the origin of funds. The entry point of the attack was a transaction on Cow Swap involving 2 ETH, according to an analysis by blockchain security firm PeckShield. After the breach, they liquidated the stolen assets by converting reUSD to stablecoins and Ethereum through Curve and Uniswap, both decentralized exchanges. The $9.6 million in profit was split across two separate Ethereum addresses. The attacker used both USDC and wrapped Ethereum (wETH) to store the final proceeds. Later in the day, Resupply confirmed the breach and admitted that the exploit had affected its wstUSR market. The platform immediately paused all contracts to prevent further damage. “ Users should avoid reUSD vaults and withdraw funds if possible ,” Unal advised investors using the protocol. Crypto-related hacks in 2025 become rampant The Resupply breach adds to a string of high-value hacks targeting both decentralized finance and centralized platforms. Blockchain forensic firm Chainalysis reports that over $2.3 billion has already been stolen in crypto hacks since the start of 2025, a figure that outpaces last year’s total by midyear. Just days before the Resupply incident, on June 18, Iran-based cryptocurrency exchange Nobitex suffered a devastating breach. Hackers made off with more than $90 million in digital assets from several blockchains, including Bitcoin, Ethereum, Dogecoin, Ripple, Solana, Tron, and Ton. Prior investigations have linked wallets on Nobitex to actors affiliated with the Islamic Revolutionary Guard Corps (IRGC), and networks tied to Houthi rebels in Yemen and Hamas operatives. The National Bureau for Counter Terror Financing (NBCTF) of Israel has identified the platform as a conduit for funds to several sanctioned entities. These include the pro-Hamas media outlet Gaza Now, an alleged propaganda arm of al-Qaeda, and sanctioned Russian cryptocurrency exchanges Garantex and Bitpapa. Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot

Source: Cryptopolitan