Hacker exploits Resupply protocol and steals $9,5 million in stablecoins

• Hacker manipulates stablecoin cvcrvUSD on Resupply protocol
• Exploitation results in theft of $9,5 million in reUSD
• Resupply contract paused after stablecoin attack

The Resupply protocol, which uses liquidity from lending markets to issue its reUSD stablecoin, has suffered an exploit that resulted in losses of approximately $9,5 million. The vulnerability was identified by security analysts as a manipulation in the price of the cvcrvUSD version, a token pegged to Curve USD and deposited with Convex Finance.

On June 26, 2025, the @ResupplyFi experienced a security breach, resulting in a loss of approximately $9.3 million.

The attack was made possible by inflating the share token price of an empty crvUSD Vault through a donation attack, enabling the attacker to borrow $10 million in… pic.twitter.com/Nz8Ouru5ej

— Vladimir S. | Officer's Notes (@officer_cia) June 26, 2025

The vulnerability involved sending fake donations to the cvcrvUSD vault, which artificially inflated the asset’s value. This increase caused Resupply’s smart contract, known as ResupplyPair (CurveLend: crvUSD/wstUSR), to interpret the token as overvalued, affecting exchange rate calculations.

“The hacker exploited the cvcrvUSD vault, allowing the attacker to borrow $10 million in reUSD with just 1 wei worth of stock as collateral,” explained Xuxian Jiang, CEO of security firm PeckShield.

With the price manipulated, the attacker used the lending function in the Resupply contract to secure a massive amount of reUSD with negligible collateral. Analysts at Blocksec reported that the drained funds originated from the wstUSR market, which was directly affected by this action.

After obtaining the reUSD, the attacker converted the tokens into other crypto assets through external markets, securing immediate profit. The Resupply team confirmed the incident, stating that the compromised contract was identified and paused to prevent further losses.

The exploit highlights the risks of DeFi protocols that rely on derived token prices for their lending mechanisms. Cases like this reinforce the importance of continuous auditing of smart contracts, especially in stablecoin projects that rely on secondary markets for liquidity.