The stablecoin platform Resupply has fallen victim to a significant exploit, resulting in a loss of $9.5 million after an attacker manipulated the price of a crucial collateral token, according to reports from security firms.
Key highlights from the incident include:
- Resupply lost $9.5 million due to price manipulation of cvcrvUSD, which allowed the attacker to borrow reUSD at a low cost.
- The exploit took advantage of faulty pricing logic in the CurveLend contract utilized by ResupplyPair.
- Resupply has paused the affected contract and is currently investigating the breach, with a comprehensive analysis expected to follow.
The incident involved the cvcrvUSD token, a wrapped version of Curve USD (crvUSD) that is staked on Convex Finance. The attacker inflated the token’s price by contributing to the cvcrvUSD vault, which enabled them to use the inflated share price as collateral for borrowing Resupply’s native stablecoin, reUSD, at a favorable rate.
Exploitation Linked to Price Feed Manipulation in CurveLend Contract
The Resupply smart contract in question, ResupplyPair (CurveLend: crvUSD/wstUSR), relied on the manipulated cvcrvUSD price for its calculations. Once the attacker borrowed large amounts of reUSD, the manipulated exchange rate collapsed, leading to a dramatic devaluation of the protocol’s reserves.
Analysts at Blocksec highlighted that the attacker primarily drained funds from the wstUSR market by exploiting the flawed price logic within the borrowing mechanism. The stolen reUSD was then quickly converted into various other crypto assets across external markets.
“As a result, the attacker managed to borrow massive amounts of reUSD using merely 1 wei of cvcrvUSD as collateral, circumventing the insolvency check,” Blocksec detailed on X.
In response to the breach, Resupply confirmed the compromise in a public statement and acknowledged that the affected contract has been paused. The team is actively investigating the issue but has not released any recovery plans at this time.
A complete analysis of the situation will be shared after a thorough review has been conducted, the team stated.
Resupply will not post any links after this tweet. Links below this tweet that look like Resupply are spam, fake or phishing links. Do not click any link under this tweet. pic.twitter.com/FExOvng40U
— Resupply (@ResupplyFi) June 26, 2025
Fuzzland Unveils $2M Insider Exploit on Bedrock’s UniBTC Protocol
In another development, Fuzzland reported on Wednesday that a $2 million exploit targeting Bedrock’s UniBTC protocol in September 2024 was executed by a former employee masquerading as an MEV developer.
This attacker applied social engineering techniques, introduced malware through a trojanized Rust crate, and stealthily maintained access to engineering systems for over three weeks.
The breach culminated shortly after Fuzzland had raised concerns over security vulnerabilities in the UniBTC protocol.
In a broader context, a staggering $1.6 billion was lost throughout the crypto ecosystem in the first three months of 2025 across 39 separate incidents, as reported by the blockchain security platform Immunefi.
This loss was largely attributed to two major hacks of centralized exchanges—Phemex, which experienced a $69.1 million loss in January, and Bybit, which suffered a staggering $1.46 billion loss in February.
Collectively, the losses in the first quarter this year represent a 4.7-fold increase compared to the $348 million lost in the same period in 2024. Notably, experts believe that the infamous North Korean hacking group Lazarus was behind the two most significant attacks, which accounted for $1.52 billion or 94% of the total losses.
The post Stablecoin Protocol Resupply Exploited for $9.5M After Attacker Inflates Token Price appeared first on Finance Newso.
