Security

Resupply Lending Protocol Exploited via Oracle Price Manipulation Vulnerability

An integer division flaw in a newly deployed vault allowed attackers to manipulate exchange rates, enabling undercollateralized borrowing and significant asset drain.
September 18, 20253 min

An abstract composition displays translucent white and deep indigo forms intricately intertwined, enveloping a bright, flowing cyan core. A small, clear spherical element rests on the left, interacting with the blue streams
A detailed sphere, resembling the moon with visible craters and textures, is suspended above and between a series of parallel and intersecting metallic and translucent blue rails. These structural elements create a dynamic, abstract pathway system against a muted grey background

Briefing

In June 2025, the Resupply decentralized finance (DeFi) lending protocol suffered a critical exploit, resulting in a loss of approximately $9.6 million in digital assets. The attack leveraged a sophisticated price manipulation technique against a newly deployed, low-liquidity crcrvUSD vault, leading to a zero exchange rate within the ResupplyPair contract. This fundamental flaw allowed the attacker to mint substantial reUSD loans with negligible collateral, directly impacting the protocol’s wstUSR market. Resupply has since fully repaid $10 million in bad debt, demonstrating a commitment to recovery and reinforcing the importance of robust risk management frameworks.

A detailed close-up reveals a complex system featuring textured blue pipes interwoven with shiny silver mechanical components and black data cables. The metallic structures exhibit intricate lattice patterns and various interconnected blocks, suggesting a sophisticated internal mechanism

Context

Prior to this incident, the DeFi ecosystem has consistently faced vulnerabilities stemming from complex smart contract interactions, particularly concerning price oracles and nascent liquidity pools. Protocols often deploy new vaults with insufficient initial liquidity, creating an inherent attack surface where minor manipulations can disproportionately affect asset valuations. This incident underscores a persistent risk class where unaudited or poorly initialized contract logic can be exploited for significant financial gain, highlighting the critical need for comprehensive security assessments beyond basic contract audits.

A sophisticated, futuristic circular device with luminous blue elements and intricate metallic structures dominates the frame. A vibrant cloud of white mist, interspersed with brilliant blue granular particles, actively emanates from its central core, suggesting an advanced operational process

Analysis

The incident’s technical mechanics centered on a price manipulation bug within Resupply’s ResupplyPair smart contract. The attacker initiated the exploit by funding their wallet via Tornado Cash, then made a small donation to a newly deployed crcrvUSD vault. This seemingly innocuous transaction artificially inflated the perceived value of the crcrvUSD token within the low-liquidity vault. Crucially, the protocol’s exchange rate calculation, which used integer division, rounded down to zero when the inflated price exceeded a specific threshold.

This zero exchange rate effectively bypassed the platform’s insolvency checks, enabling the attacker to borrow approximately $9.6 million in reUSD stablecoins using only 1 wei of crcrvUSD as collateral. The stolen funds were subsequently swapped to stablecoins and Ethereum on decentralized exchanges like Curve and Uniswap, then distributed across two separate Ethereum addresses.

A central, highly detailed white and metallic spherical mechanism forms the core of a dynamic system, with a glowing blue, structured data stream passing through its center. The background features similar out-of-focus elements, suggesting a broader network of interconnected components

Parameters

  • Protocol Targeted → Resupply (DeFi lending protocol)
  • Attack Vector → Price Manipulation / Integer Division Vulnerability
  • Financial Impact → $9.6 Million (initial loss), $10 Million (bad debt repaid)
  • Affected Component → ResupplyPair smart contract, wstUSR market, crcrvUSD vault
  • BlockchainEthereum
  • Attacker FundingTornado Cash
  • Recovery Status → Full repayment of bad debt by August 2025

A white spherical module with a clear lens is positioned centrally, surrounded by numerous blue, faceted crystal-like structures. The sphere has segmented panels with glowing blue lines, while the blue crystals reflect light, creating a sense of depth and complexity

Outlook

In the immediate aftermath, Resupply paused affected contracts to prevent further losses, demonstrating swift incident response. The successful repayment of the $10 million bad debt, utilizing treasury funds and an insurance pool, sets a precedent for robust recovery mechanisms in DeFi, potentially influencing future regulatory expectations regarding financial crisis management. This incident reinforces the critical need for protocols to implement rigorous input validation, comprehensive oracle checks, and thorough edge-case testing, especially for newly deployed contracts or those interacting with low-liquidity assets. Developers must prioritize secure-by-design principles, ensuring that all contract logic, particularly division operations, accounts for potential price manipulations to prevent similar vulnerabilities.

A central blue circuit board, appearing as a compact processing unit with finned heatsink elements, is heavily encrusted with white frost. It is positioned between multiple parallel silver metallic rods, all set against a background of dark grey circuit board patterns

Verdict

The Resupply exploit serves as a stark reminder that fundamental smart contract design flaws, particularly in exchange rate calculations and oracle dependencies, remain a primary attack vector, demanding continuous, rigorous auditing and proactive liquidity management for all DeFi protocols.

Signal Acquired from → halborn.com

Micro Crypto News Feeds

price manipulation

Definition ∞ Price manipulation refers to the intentional distortion of the market price of an asset through deceptive or fraudulent activities.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

integer division

Definition ∞ Integer division is a mathematical operation that divides one integer by another and returns only the whole number part of the quotient.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

lending protocol

Definition ∞ A lending protocol is a decentralized application that facilitates the borrowing and lending of digital assets without intermediaries.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

management

Definition ∞ Management refers to the process of organizing and overseeing resources to achieve specific objectives.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

Tags:

Tags: