Skip to main content
Security

Resupply Lending Protocol Exploited via ERC4626 Vault Exchange Rate Manipulation

A critical flaw in a newly deployed ERC4626 vault's exchange rate calculation allowed an attacker to drain $9.8 million by manipulating perceived collateral value.
September 26, 20253 min

A sophisticated, metallic device featuring intricate blue wiring and exposed internal components is centered against a blurred blue bokeh background. Its sleek, industrial design showcases visible screws, heat sinks, and a prominent dial, suggesting a highly engineered computational unit
The image presents a sophisticated abstract rendering of interconnected mechanical and fluid elements against a gradient grey background. A prominent dark blue, square component with a central cross-design is surrounded by translucent, flowing light blue structures that integrate with other metallic and white ridged parts

Briefing

A recent exploit on June 26, 2025, targeted Resupply, an on-chain lending protocol, resulting in a loss of approximately $9.8 million. The incident stemmed from a critical vulnerability within a newly deployed ERC4626 crcrvUSD vault, where an attacker leveraged a “first donation” strategy to manipulate the vault’s internal exchange rate. This manipulation allowed the attacker to bypass solvency checks, effectively borrowing substantial reUSD with negligible collateral. The stolen funds were subsequently laundered via Tornado Cash, obscuring the attacker’s trail.

A sophisticated metallic blue device is depicted, partially open to reveal its intricate internal workings. Finely detailed silver mechanisms, gears, and white fiber-optic-like connections are visible within its structure, with a distinctive light blue, bubbly, foam-like substance emanating from one end

Context

Prior to this incident, the DeFi ecosystem has consistently faced risks associated with newly deployed smart contracts, particularly those with low initial liquidity. Such contracts are highly susceptible to price manipulation attacks, where small capital inputs can disproportionately affect internal valuation mechanisms. The reliance on imprecise integer division in critical financial calculations, especially when combined with external oracle dependencies or initial liquidity conditions, represents a known class of vulnerability that sophisticated threat actors frequently exploit.

This abstract depiction showcases a metallic cylinder intricately wound with fine wires, set within a precisely engineered blue mechanical structure. The composition evokes the complex, interconnected nature of digital systems

Analysis

The attack capitalized on a flawed exchange rate calculation within Resupply’s ResupplyPairCore.sol contract, specifically affecting the _updateExchangeRate() and _isSolvent() functions. By making a minimal “first donation” to a newly deployed, low-liquidity crcrvUSD vault and minting a single wei of shares, the attacker drastically inflated the vault’s perceived value. This artificial inflation caused the protocol’s exchange rate calculation (1e36 divided by the perceived value) to round down to zero due to integer division. With an effective exchange rate of zero, the attacker could then deposit a minuscule amount of collateral (1 wei of crcrvUSD ) to borrow the entirety of the vault’s stored value, amounting to $9.8 million in reUSD.

A textured, white sphere is centrally positioned, encased by a protective structure of translucent blue and metallic silver bars. The intricate framework surrounds the sphere, highlighting its secure containment within a sophisticated digital environment

Parameters

  • Protocol Targeted ∞ Resupply (Decentralized Lending Protocol)
  • Date of Exploit ∞ June 26, 2025
  • Financial Impact ∞ $9.8 Million
  • Attack Vector ∞ ERC4626 Vault Exchange Rate Manipulation (Malicious Donation / Integer Division Exploit)
  • Vulnerable Component ∞ ResupplyPairCore.sol contract ( _updateExchangeRate() , _isSolvent() functions)
  • Laundering MethodTornado Cash

A dynamic blue liquid splash emerges from a sophisticated digital interface displaying vibrant blue data visualizations. The background reveals intricate metallic structures, suggesting a robust hardware component or network node

Outlook

Immediate mitigation for users involved in similar protocols includes verifying the maturity and liquidity of vaults before interacting with them, especially newly deployed ones. For protocols, this incident underscores the critical need for robust input validation, secure handling of integer arithmetic, and comprehensive security audits that specifically address edge cases in exchange rate calculations and initial liquidity scenarios. Implementing circuit breakers or minimum liquidity thresholds for new vaults could prevent similar “first donation” exploits. This event will likely reinforce the industry’s focus on formal verification and rigorous testing of all financial logic, particularly in ERC4626 implementations, to prevent such systemic risks from propagating across the DeFi landscape.

The Resupply exploit highlights the persistent vulnerability of nascent DeFi protocols to sophisticated financial manipulation, emphasizing that even well-understood attack vectors can persist without stringent deployment and validation safeguards.

Signal Acquired from ∞ halborn.com

Micro Crypto News Feeds

lending protocol

Definition ∞ A lending protocol is a decentralized application that facilitates the borrowing and lending of digital assets without intermediaries.

price manipulation

Definition ∞ Price manipulation refers to the intentional distortion of the market price of an asset through deceptive or fraudulent activities.

integer division

Definition ∞ Integer division is a mathematical operation that divides one integer by another and returns only the whole number part of the quotient.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

exchange rate manipulation

Definition ∞ Exchange rate manipulation refers to intentional actions taken to alter the value of one currency relative to another.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

Tags:

Tags: