Skip to main content
Security

Resupply Lending Protocol Exploited via ERC4626 Vault Exchange Rate Manipulation

A critical flaw in newly deployed ERC4626 vaults allowed exchange rate manipulation, enabling attackers to borrow substantial assets with negligible collateral.
September 24, 20253 min

The image presents a sophisticated abstract rendering of interconnected mechanical and fluid elements against a gradient grey background. A prominent dark blue, square component with a central cross-design is surrounded by translucent, flowing light blue structures that integrate with other metallic and white ridged parts
The image showcases a high-tech, metallic and blue-bladed mechanical component, heavily encrusted with frost and snow around its central hub and blades. A polished metal rod extends from the center, highlighting the precision engineering of this specialized hardware

Briefing

On June 26, 2025, the Resupply stablecoin lending protocol suffered a sophisticated exploit, resulting in the loss of approximately $9.5 million. The attack leveraged a critical vulnerability within a newly deployed ERC4626 vault, specifically manipulating its exchange rate calculation. This allowed the attacker to secure massive under-collateralized loans, fundamentally compromising the protocol’s asset integrity. The incident highlights the severe risks associated with insufficient liquidity initialization and flawed arithmetic in smart contract valuation logic.

A futuristic, segmented white sphere is partially submerged in dark, reflective water, with vibrant blue, crystalline formations emerging from its central opening. These icy structures spill into the water, forming a distinct mass on the surface

Context

Prior to this incident, the DeFi ecosystem has frequently contended with vulnerabilities stemming from price oracle manipulation and issues in newly deployed, low-liquidity smart contracts. The inherent complexity of decentralized lending protocols, coupled with the immutability of deployed code, creates an attack surface where subtle logical flaws can lead to significant financial losses. This class of “first donation” or “malicious donation” attacks on ERC4626 vaults, while known, often exploits a brief window of vulnerability post-deployment before sufficient liquidity stabilizes exchange rates.

Smooth white spheres and intertwining tubular structures form a dynamic abstract composition against a dark background. These elements are enveloped by a dense cluster of varying blue crystalline shapes, some transparent, others opaque, with a distinct glowing blue light at the center

Analysis

The attack exploited a critical flaw in Resupply’s cvcrvUSD vault, an ERC4626 standard contract, shortly after its deployment. The attacker initiated a “malicious donation” of crvUSD to the low-liquidity vault, then minted a minimal amount of shares (e.g. 1 wei).

This donation artificially inflated the perceived value of a single share, causing the protocol’s _updateExchangeRate() function to calculate an exchange rate that rounded down to zero due to integer division. With an effective exchange rate of zero, the attacker could then deposit a negligible amount of collateral to borrow nearly $10 million in reUSD , effectively draining the protocol’s assets.

A macro shot captures a frosty blue tubular object, its opening rimmed with white crystalline deposits. A large, clear water droplet floats suspended in the air to the left, accompanied by a tiny trailing droplet

Parameters

  • Protocol Targeted ∞ Resupply Stablecoin Lending Protocol
  • Vulnerability Type ∞ ERC4626 Vault Exchange Rate Manipulation (Malicious Donation Attack)
  • Financial Impact ∞ Approximately $9.5 Million
  • Date of Exploit ∞ June 26, 2025
  • Affected Asset ∞ reUSD (Resupply’s native stablecoin), cvcrvUSD collateral
  • Attack Vector ∞ Integer Division Error in Exchange Rate Calculation

A sleek, white, modular, futuristic device, partially submerged in calm, dark blue water. Its illuminated interior, revealing intricate blue glowing gears and digital components, actively expels a vigorous stream of water, creating significant surface ripples and foam

Outlook

Immediate mitigation for protocols involves implementing robust liquidity initialization strategies for new vaults and rigorous pre-deployment testing for edge cases involving low liquidity and arithmetic precision. This incident will likely reinforce the need for comprehensive audits specifically targeting ERC4626 implementations and exchange rate logic, especially concerning integer division and potential “first depositor” vulnerabilities. Similar lending protocols must review their vault deployment procedures and oracle integration to prevent contagion risk from this well-documented attack vector.

Two futuristic cylindrical white and silver modules, adorned with blue translucent crystalline elements, are depicted in close proximity, revealing complex internal metallic pin arrays. The intricate design of these modules, poised for precise connection, illustrates advanced cross-chain interoperability and protocol integration vital for the next generation of decentralized finance DeFi

Verdict

The Resupply exploit serves as a stark reminder that even well-understood vulnerabilities, particularly in newly deployed smart contract components, continue to pose significant systemic risk to DeFi protocols and user capital.

Signal Acquired from ∞ Halborn

Micro Crypto News Feeds

stablecoin lending

Definition ∞ Stablecoin lending involves providing capital in the form of stablecoins to borrowers in exchange for interest.

lending protocols

Definition ∞ Lending Protocols are decentralized applications (dApps) built on blockchain networks that facilitate the borrowing and lending of digital assets without traditional financial intermediaries.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

integer division

Definition ∞ Integer division is a mathematical operation that divides one integer by another and returns only the whole number part of the quotient.

lending protocol

Definition ∞ A lending protocol is a decentralized application that facilitates the borrowing and lending of digital assets without intermediaries.

exchange rate manipulation

Definition ∞ Exchange rate manipulation refers to intentional actions taken to alter the value of one currency relative to another.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: