Skip to main content
Security

Resupply Lending Protocol Exploited via Oracle Price Manipulation Vulnerability

An integer division flaw in a newly deployed vault allowed attackers to manipulate exchange rates, enabling undercollateralized borrowing and significant asset drain.
September 18, 20253 min

Two abstract, textured formations, one dark blue and crystalline, the other white fading to blue, are partially submerged in calm, reflective water under a light blue sky. A white, dimpled sphere rests between them
A sculptural object, rendered in deep blue translucent material and intricate white textured layers, is precisely split down its vertical axis. This division reveals the complex, organic internal stratification of the piece, resembling geological formations or fluid dynamics

Briefing

In June 2025, the Resupply decentralized finance (DeFi) lending protocol suffered a critical exploit, resulting in a loss of approximately $9.6 million in digital assets. The attack leveraged a sophisticated price manipulation technique against a newly deployed, low-liquidity crcrvUSD vault, leading to a zero exchange rate within the ResupplyPair contract. This fundamental flaw allowed the attacker to mint substantial reUSD loans with negligible collateral, directly impacting the protocol’s wstUSR market. Resupply has since fully repaid $10 million in bad debt, demonstrating a commitment to recovery and reinforcing the importance of robust risk management frameworks.

A polished, multi-layered metallic mechanism descends into a vibrant, translucent blue liquid, with blue rod-like structures extending from it. White foam actively bubbles at the liquid's surface around the metallic component, set against a soft, light gray background

Context

Prior to this incident, the DeFi ecosystem has consistently faced vulnerabilities stemming from complex smart contract interactions, particularly concerning price oracles and nascent liquidity pools. Protocols often deploy new vaults with insufficient initial liquidity, creating an inherent attack surface where minor manipulations can disproportionately affect asset valuations. This incident underscores a persistent risk class where unaudited or poorly initialized contract logic can be exploited for significant financial gain, highlighting the critical need for comprehensive security assessments beyond basic contract audits.

A sophisticated metallic module, characterized by intricate circuit-like engravings and a luminous blue central aperture, forms the focal point of a high-tech network. Several flexible blue cables, acting as data conduits, emanate from its core, suggesting dynamic information exchange and connectivity

Analysis

The incident’s technical mechanics centered on a price manipulation bug within Resupply’s ResupplyPair smart contract. The attacker initiated the exploit by funding their wallet via Tornado Cash, then made a small donation to a newly deployed crcrvUSD vault. This seemingly innocuous transaction artificially inflated the perceived value of the crcrvUSD token within the low-liquidity vault. Crucially, the protocol’s exchange rate calculation, which used integer division, rounded down to zero when the inflated price exceeded a specific threshold.

This zero exchange rate effectively bypassed the platform’s insolvency checks, enabling the attacker to borrow approximately $9.6 million in reUSD stablecoins using only 1 wei of crcrvUSD as collateral. The stolen funds were subsequently swapped to stablecoins and Ethereum on decentralized exchanges like Curve and Uniswap, then distributed across two separate Ethereum addresses.

A polished metallic rod, angled across the frame, acts as a foundational element, conceptually representing a high-throughput blockchain network conduit. Adorned centrally is a complex, star-shaped component, featuring alternating reflective blue and textured white segments

Parameters

  • Protocol Targeted ∞ Resupply (DeFi lending protocol)
  • Attack Vector ∞ Price Manipulation / Integer Division Vulnerability
  • Financial Impact ∞ $9.6 Million (initial loss), $10 Million (bad debt repaid)
  • Affected Component ∞ ResupplyPair smart contract, wstUSR market, crcrvUSD vault
  • BlockchainEthereum
  • Attacker FundingTornado Cash
  • Recovery Status ∞ Full repayment of bad debt by August 2025

The image presents two white, segmented cylindrical structures, with a vibrant stream of small blue particles and metallic rods flowing from one into the other, set against a backdrop of glowing blue, block-like crystalline formations. This visual abstractly portrays complex data exchange within a high-tech environment

Outlook

In the immediate aftermath, Resupply paused affected contracts to prevent further losses, demonstrating swift incident response. The successful repayment of the $10 million bad debt, utilizing treasury funds and an insurance pool, sets a precedent for robust recovery mechanisms in DeFi, potentially influencing future regulatory expectations regarding financial crisis management. This incident reinforces the critical need for protocols to implement rigorous input validation, comprehensive oracle checks, and thorough edge-case testing, especially for newly deployed contracts or those interacting with low-liquidity assets. Developers must prioritize secure-by-design principles, ensuring that all contract logic, particularly division operations, accounts for potential price manipulations to prevent similar vulnerabilities.

A sophisticated white cylindrical mechanism, resembling a futuristic satellite, is depicted expelling a substantial cloud of white vapor from its central aperture. Intricate panels and solar arrays adorn its exterior, set against a stark blue backdrop

Verdict

The Resupply exploit serves as a stark reminder that fundamental smart contract design flaws, particularly in exchange rate calculations and oracle dependencies, remain a primary attack vector, demanding continuous, rigorous auditing and proactive liquidity management for all DeFi protocols.

Signal Acquired from ∞ halborn.com

Micro Crypto News Feeds

price manipulation

Definition ∞ Price manipulation refers to the intentional distortion of the market price of an asset through deceptive or fraudulent activities.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

integer division

Definition ∞ Integer division is a mathematical operation that divides one integer by another and returns only the whole number part of the quotient.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

lending protocol

Definition ∞ A lending protocol is a decentralized application that facilitates the borrowing and lending of digital assets without intermediaries.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

management

Definition ∞ Management refers to the process of organizing and overseeing resources to achieve specific objectives.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

Tags:

Tags: