Resupply stablecoin protocol exploited for $9.5M via token price manipulation

An attacker manipulated token prices to distort exchange rates and drain about $9.5 million from decentralized stablecoin protocol Resupply.

The exploit was first flagged on June 25 by security platform BlockSec Phalcon, which detected a suspicious transaction leading to a $9.5 million loss. Resupply protocol confirmed the incident on X shortly after, claiming that the affected smart contract had been paused and that the attack only affected its wstUSR market. The team also stated that a thorough post-mortem is in progress and that the core protocol is still operational.

While a detailed breakdown is still pending, preliminary analysis from security researchers points to a classic case of price manipulation within a low-liquidity market. The exploit targeted cvcrvUSD, a wrapped version of Curve DAO’s (CRV) crvUSD token staked through Convex Finance.

Analysts say the attacker manipulated the share price of cvcrvUSD by sending small donations, which artificially inflated its value. Because Resupply’s exchange rate formula relied on this inflated price, the system became vulnerable.

The attacker then used Resupply’s smart contract to borrow 10 million reUSD, the platform’s native stablecoin, with just one wei of cvcrvUSD as collateral. The borrowed reUSD was quickly swapped into other assets on external markets, resulting in a net loss of nearly $9.5 million.

Additional investigation revealed that the attacker exploited an empty ERC4626 wrapper that was serving as a price oracle in the CurveLend pair of the protocol. This allowed the price of cvcrvUSD to spike using just two crvUSD, bypassing the usual collateral requirements.

This incident adds to a growing trend of price manipulation attacks in 2025. Similar exploits have recently affected protocols such as Meta Pool and the GMX/MIM Spell ecosystem, which were both compromised due to oracle vulnerabilities and low-liquidity token manipulation.

Weak pricing mechanisms and flash loans remain common tools for attackers, who continue to target DeFi systems with thin trading volumes despite passing contract security audits. Resupply has not yet confirmed whether user funds will be reimbursed or if recovery efforts are underway.