Security

Resupply Lending Protocol Exploited via ERC4626 Vault Exchange Rate Manipulation

A critical flaw in a newly deployed ERC4626 vault's exchange rate calculation allowed an attacker to drain $9.8 million by manipulating perceived collateral value.
September 26, 20253 min

A highly detailed, futuristic mechanical device is depicted, showcasing a central hexagonal component crafted from brushed silver metal. This core is intricately surrounded by numerous reflective blue, metallic, and dark elements, including interconnected tubes and wires, set against a deep blue background
A modern, white and metallic cylindrical apparatus lies partially submerged in dark blue, rippling water, actively discharging a large volume of white, powdery substance. The substance forms a significant pile both emerging from the device and spreading across the water's surface

Briefing

A recent exploit on June 26, 2025, targeted Resupply, an on-chain lending protocol, resulting in a loss of approximately $9.8 million. The incident stemmed from a critical vulnerability within a newly deployed ERC4626 crcrvUSD vault, where an attacker leveraged a “first donation” strategy to manipulate the vault’s internal exchange rate. This manipulation allowed the attacker to bypass solvency checks, effectively borrowing substantial reUSD with negligible collateral. The stolen funds were subsequently laundered via Tornado Cash, obscuring the attacker’s trail.

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Context

Prior to this incident, the DeFi ecosystem has consistently faced risks associated with newly deployed smart contracts, particularly those with low initial liquidity. Such contracts are highly susceptible to price manipulation attacks, where small capital inputs can disproportionately affect internal valuation mechanisms. The reliance on imprecise integer division in critical financial calculations, especially when combined with external oracle dependencies or initial liquidity conditions, represents a known class of vulnerability that sophisticated threat actors frequently exploit.

A transparent crystalline cube encapsulates a white spherical device at the center of a sophisticated, multi-layered technological construct. This construct features interlocking white geometric elements and intricate blue illuminated circuitry, reminiscent of a secure digital vault or a high-performance node within a decentralized network

Analysis

The attack capitalized on a flawed exchange rate calculation within Resupply’s ResupplyPairCore.sol contract, specifically affecting the _updateExchangeRate() and _isSolvent() functions. By making a minimal “first donation” to a newly deployed, low-liquidity crcrvUSD vault and minting a single wei of shares, the attacker drastically inflated the vault’s perceived value. This artificial inflation caused the protocol’s exchange rate calculation (1e36 divided by the perceived value) to round down to zero due to integer division. With an effective exchange rate of zero, the attacker could then deposit a minuscule amount of collateral (1 wei of crcrvUSD ) to borrow the entirety of the vault’s stored value, amounting to $9.8 million in reUSD.

A gleaming, faceted crystal, akin to a diamond, is suspended within an abstract technological construct. This construct features detailed circuit board traces, integrated chips, and interlocking geometric blocks in shades of deep blue and white

Parameters

  • Protocol Targeted → Resupply (Decentralized Lending Protocol)
  • Date of Exploit → June 26, 2025
  • Financial Impact → $9.8 Million
  • Attack Vector → ERC4626 Vault Exchange Rate Manipulation (Malicious Donation / Integer Division Exploit)
  • Vulnerable Component → ResupplyPairCore.sol contract ( _updateExchangeRate() , _isSolvent() functions)
  • Laundering MethodTornado Cash

A detailed close-up reveals a high-tech, silver and black electronic device with translucent blue internal components, partially submerged in a clear, flowing, icy-blue liquid or gel, which exhibits fine textures and light reflections. The device features a small digital display showing the number '18' alongside a circular icon, emphasizing its operational status

Outlook

Immediate mitigation for users involved in similar protocols includes verifying the maturity and liquidity of vaults before interacting with them, especially newly deployed ones. For protocols, this incident underscores the critical need for robust input validation, secure handling of integer arithmetic, and comprehensive security audits that specifically address edge cases in exchange rate calculations and initial liquidity scenarios. Implementing circuit breakers or minimum liquidity thresholds for new vaults could prevent similar “first donation” exploits. This event will likely reinforce the industry’s focus on formal verification and rigorous testing of all financial logic, particularly in ERC4626 implementations, to prevent such systemic risks from propagating across the DeFi landscape.

The Resupply exploit highlights the persistent vulnerability of nascent DeFi protocols to sophisticated financial manipulation, emphasizing that even well-understood attack vectors can persist without stringent deployment and validation safeguards.

Signal Acquired from → halborn.com

Micro Crypto News Feeds

lending protocol

Definition ∞ A lending protocol is a decentralized application that facilitates the borrowing and lending of digital assets without intermediaries.

price manipulation

Definition ∞ Price manipulation refers to the intentional distortion of the market price of an asset through deceptive or fraudulent activities.

integer division

Definition ∞ Integer division is a mathematical operation that divides one integer by another and returns only the whole number part of the quotient.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

exchange rate manipulation

Definition ∞ Exchange rate manipulation refers to intentional actions taken to alter the value of one currency relative to another.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

Tags:

Tags: