TL;DR
- A vulnerability in Resupply’s smart contracts allowed an attacker to inflate the value of collateral, extracting $9.5 million.
- The exploit was based on the manipulated pricing of cvcrvUSD, a wrapped version of Curve USD staked on Convex.
- Despite the breach, Resupply remains online, with the affected contract paused and a post-mortem investigation underway.
A major exploit has hit Resupply, a decentralized stablecoin protocol, resulting in the loss of over $9.5 million. The attack centered on a mispricing vulnerability involving cvcrvUSD, a token representing Curve USD staked on Convex Finance. By artificially boosting its value through targeted deposits, the attacker used minimal actual funds to unlock large amounts of Resupply’s native stablecoin, reUSD.
The crux of the exploit was found in the CurveLend contract used by ResupplyPair, where flawed logic allowed the attacker to borrow massive amounts of reUSD with just 1 wei of cvcrvUSD. Once the manipulated collateral was used, the attacker swiftly drained liquidity and exited the protocol, converting the stolen funds via external markets. The attacker also used multiple wallets and mixing services to further obscure transaction trails and avoid traceability, demonstrating a sophisticated operational approach.
Borrowing Logic Failure Amplified Attack Impact
Blocksec and other security analysts noted that the attacker bypassed the insolvency check due to the protocol trusting the inflated price feed. The manipulation caused the reUSD minting process to occur at a deeply misaligned rate, leading to a significant drain on the wstUSR market reserves.
The Resupply team quickly acknowledged the breach, pausing the vulnerable contract and initiating a detailed review. Though recovery of funds remains uncertain, the open-source nature of blockchain allows transparent tracking of the attacker’s movements, a benefit not possible in traditional financial systems.
Security Incidents Continue to Plague DeFi in 2025
This breach is only one of many so far in 2025. According to Immunefi, nearly $1.64 billion has been lost in 39 separate incidents just in Q1. Although a large portion is tied to centralized exchange hacks, DeFi remains a critical battleground for smart contract security and ongoing innovation.
While critics use these events to discredit crypto innovation, these incidents highlight the importance of permissionless auditability and developer accountability. Rather than calling for tighter restrictions, they reinforce the call for better on-chain tooling, open-source collaboration, and smarter contract design. Projects that embrace transparency and rapid iteration can emerge stronger after facing adversity, paving the way for future resilience in decentralized finance.
