Skip to main content
Security

Resupply Lending Protocol Exploited via Oracle Price Manipulation Vulnerability

An integer division flaw in a newly deployed vault allowed attackers to manipulate exchange rates, enabling undercollateralized borrowing and significant asset drain.
September 18, 20253 min

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface
A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Briefing

In June 2025, the Resupply decentralized finance (DeFi) lending protocol suffered a critical exploit, resulting in a loss of approximately $9.6 million in digital assets. The attack leveraged a sophisticated price manipulation technique against a newly deployed, low-liquidity crcrvUSD vault, leading to a zero exchange rate within the ResupplyPair contract. This fundamental flaw allowed the attacker to mint substantial reUSD loans with negligible collateral, directly impacting the protocol’s wstUSR market. Resupply has since fully repaid $10 million in bad debt, demonstrating a commitment to recovery and reinforcing the importance of robust risk management frameworks.

Two advanced, white cylindrical components are shown in the process of a precise mechanical connection, surrounded by a subtle dispersion of fine, snow-like particles against a deep blue background. Adjacent solar panel arrays provide a visual anchor to the technological setting

Context

Prior to this incident, the DeFi ecosystem has consistently faced vulnerabilities stemming from complex smart contract interactions, particularly concerning price oracles and nascent liquidity pools. Protocols often deploy new vaults with insufficient initial liquidity, creating an inherent attack surface where minor manipulations can disproportionately affect asset valuations. This incident underscores a persistent risk class where unaudited or poorly initialized contract logic can be exploited for significant financial gain, highlighting the critical need for comprehensive security assessments beyond basic contract audits.

The image showcases a detailed view of a sophisticated, blue-hued technological apparatus, featuring numerous interconnected metallic blocks, conduits, and bright blue electrical wires. A prominent central module with a dark, integrated circuit-like component is secured by visible screws, indicating a core processing unit

Analysis

The incident’s technical mechanics centered on a price manipulation bug within Resupply’s ResupplyPair smart contract. The attacker initiated the exploit by funding their wallet via Tornado Cash, then made a small donation to a newly deployed crcrvUSD vault. This seemingly innocuous transaction artificially inflated the perceived value of the crcrvUSD token within the low-liquidity vault. Crucially, the protocol’s exchange rate calculation, which used integer division, rounded down to zero when the inflated price exceeded a specific threshold.

This zero exchange rate effectively bypassed the platform’s insolvency checks, enabling the attacker to borrow approximately $9.6 million in reUSD stablecoins using only 1 wei of crcrvUSD as collateral. The stolen funds were subsequently swapped to stablecoins and Ethereum on decentralized exchanges like Curve and Uniswap, then distributed across two separate Ethereum addresses.

The image presents two white, segmented cylindrical structures, with a vibrant stream of small blue particles and metallic rods flowing from one into the other, set against a backdrop of glowing blue, block-like crystalline formations. This visual abstractly portrays complex data exchange within a high-tech environment

Parameters

  • Protocol Targeted ∞ Resupply (DeFi lending protocol)
  • Attack Vector ∞ Price Manipulation / Integer Division Vulnerability
  • Financial Impact ∞ $9.6 Million (initial loss), $10 Million (bad debt repaid)
  • Affected Component ∞ ResupplyPair smart contract, wstUSR market, crcrvUSD vault
  • Blockchain ∞ Ethereum
  • Attacker Funding ∞ Tornado Cash
  • Recovery Status ∞ Full repayment of bad debt by August 2025

A sophisticated, transparent blue and metallic device features a central white, textured spherical component precisely engaged by a fine transparent tube. Visible through the clear casing are intricate internal mechanisms, highlighting advanced engineering

Outlook

In the immediate aftermath, Resupply paused affected contracts to prevent further losses, demonstrating swift incident response. The successful repayment of the $10 million bad debt, utilizing treasury funds and an insurance pool, sets a precedent for robust recovery mechanisms in DeFi, potentially influencing future regulatory expectations regarding financial crisis management. This incident reinforces the critical need for protocols to implement rigorous input validation, comprehensive oracle checks, and thorough edge-case testing, especially for newly deployed contracts or those interacting with low-liquidity assets. Developers must prioritize secure-by-design principles, ensuring that all contract logic, particularly division operations, accounts for potential price manipulations to prevent similar vulnerabilities.

A central blue circuit board, appearing as a compact processing unit with finned heatsink elements, is heavily encrusted with white frost. It is positioned between multiple parallel silver metallic rods, all set against a background of dark grey circuit board patterns

Verdict

The Resupply exploit serves as a stark reminder that fundamental smart contract design flaws, particularly in exchange rate calculations and oracle dependencies, remain a primary attack vector, demanding continuous, rigorous auditing and proactive liquidity management for all DeFi protocols.

Signal Acquired from ∞ halborn.com

Glossary

price manipulation

Definition ∞ Price manipulation refers to the intentional distortion of the market price of an asset through deceptive or fraudulent activities.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

resupplypair smart contract

This research integrates large language models with formal verification to automatically generate precise properties, fundamentally enhancing smart contract security.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

lending protocol

Definition ∞ A lending protocol is a decentralized application that facilitates the borrowing and lending of digital assets without intermediaries.

attack vector

Attackers deployed a deceptive Etherscan-verified contract, leveraging the Safe Multi Send mechanism to bypass user scrutiny and drain over $3 million.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

crcrvusd vault

R0AR introduces its BuyBack Vault, a strategic mechanism designed to attract capital and enhance token utility, directly accelerating R0AR Chain's ecosystem expansion.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

newly deployed

An unaudited code deployment enabled a flash loan and state manipulation attack, compromising Nemo Protocol and jeopardizing user assets.

management

Definition ∞ Management refers to the process of organizing and overseeing resources to achieve specific objectives.

Tags:

Tags: