Security

Resupply Lending Protocol Exploited via Oracle Price Manipulation Vulnerability

An integer division flaw in a newly deployed vault allowed attackers to manipulate exchange rates, enabling undercollateralized borrowing and significant asset drain.
September 18, 20253 min

The image showcases a detailed, high-tech arrangement of metallic hexagonal and rectangular units, accented with vibrant electric blue elements and interconnected by numerous black cables. These components are arranged in a dense, structured pattern, suggesting a sophisticated computational or networking system designed for high throughput
A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Briefing

In June 2025, the Resupply decentralized finance (DeFi) lending protocol suffered a critical exploit, resulting in a loss of approximately $9.6 million in digital assets. The attack leveraged a sophisticated price manipulation technique against a newly deployed, low-liquidity crcrvUSD vault, leading to a zero exchange rate within the ResupplyPair contract. This fundamental flaw allowed the attacker to mint substantial reUSD loans with negligible collateral, directly impacting the protocol’s wstUSR market. Resupply has since fully repaid $10 million in bad debt, demonstrating a commitment to recovery and reinforcing the importance of robust risk management frameworks.

A striking composition features a brilliant blue, rough-textured object, resembling a raw mineral or crystal, positioned centrally between two vertical reflective panels. To its left, a smaller white textured sphere sits, while a larger, similar sphere is partially visible behind the blue object, all resting on a reflective, rippled surface

Context

Prior to this incident, the DeFi ecosystem has consistently faced vulnerabilities stemming from complex smart contract interactions, particularly concerning price oracles and nascent liquidity pools. Protocols often deploy new vaults with insufficient initial liquidity, creating an inherent attack surface where minor manipulations can disproportionately affect asset valuations. This incident underscores a persistent risk class where unaudited or poorly initialized contract logic can be exploited for significant financial gain, highlighting the critical need for comprehensive security assessments beyond basic contract audits.

Angular, reflective metallic structures resembling advanced computing hardware interlock with vibrant blue crystalline formations encrusted with a white, frosty substance. A luminous, textured sphere, evocative of a moon, floats centrally amidst these elements

Analysis

The incident’s technical mechanics centered on a price manipulation bug within Resupply’s ResupplyPair smart contract. The attacker initiated the exploit by funding their wallet via Tornado Cash, then made a small donation to a newly deployed crcrvUSD vault. This seemingly innocuous transaction artificially inflated the perceived value of the crcrvUSD token within the low-liquidity vault. Crucially, the protocol’s exchange rate calculation, which used integer division, rounded down to zero when the inflated price exceeded a specific threshold.

This zero exchange rate effectively bypassed the platform’s insolvency checks, enabling the attacker to borrow approximately $9.6 million in reUSD stablecoins using only 1 wei of crcrvUSD as collateral. The stolen funds were subsequently swapped to stablecoins and Ethereum on decentralized exchanges like Curve and Uniswap, then distributed across two separate Ethereum addresses.

The image showcases a detailed close-up of a precision-engineered mechanical component, featuring a central metallic shaft surrounded by multiple concentric rings and blue structural elements. The intricate design highlights advanced manufacturing and material science, with brushed metal textures and dark inner mechanisms

Parameters

  • Protocol Targeted → Resupply (DeFi lending protocol)
  • Attack Vector → Price Manipulation / Integer Division Vulnerability
  • Financial Impact → $9.6 Million (initial loss), $10 Million (bad debt repaid)
  • Affected Component → ResupplyPair smart contract, wstUSR market, crcrvUSD vault
  • BlockchainEthereum
  • Attacker FundingTornado Cash
  • Recovery Status → Full repayment of bad debt by August 2025

A high-resolution, abstract rendering showcases a central, metallic lens-like mechanism surrounded by swirling, translucent blue liquid and structured conduits. This intricate core is enveloped by a thick, frothy layer of white bubbles, creating a dynamic visual contrast

Outlook

In the immediate aftermath, Resupply paused affected contracts to prevent further losses, demonstrating swift incident response. The successful repayment of the $10 million bad debt, utilizing treasury funds and an insurance pool, sets a precedent for robust recovery mechanisms in DeFi, potentially influencing future regulatory expectations regarding financial crisis management. This incident reinforces the critical need for protocols to implement rigorous input validation, comprehensive oracle checks, and thorough edge-case testing, especially for newly deployed contracts or those interacting with low-liquidity assets. Developers must prioritize secure-by-design principles, ensuring that all contract logic, particularly division operations, accounts for potential price manipulations to prevent similar vulnerabilities.

Two futuristic cylindrical white and silver modules, adorned with blue translucent crystalline elements, are depicted in close proximity, revealing complex internal metallic pin arrays. The intricate design of these modules, poised for precise connection, illustrates advanced cross-chain interoperability and protocol integration vital for the next generation of decentralized finance DeFi

Verdict

The Resupply exploit serves as a stark reminder that fundamental smart contract design flaws, particularly in exchange rate calculations and oracle dependencies, remain a primary attack vector, demanding continuous, rigorous auditing and proactive liquidity management for all DeFi protocols.

Signal Acquired from → halborn.com

Micro Crypto News Feeds

price manipulation

Definition ∞ Price manipulation refers to the intentional distortion of the market price of an asset through deceptive or fraudulent activities.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

integer division

Definition ∞ Integer division is a mathematical operation that divides one integer by another and returns only the whole number part of the quotient.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

lending protocol

Definition ∞ A lending protocol is a decentralized application that facilitates the borrowing and lending of digital assets without intermediaries.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

management

Definition ∞ Management refers to the process of organizing and overseeing resources to achieve specific objectives.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

Tags:

Tags: