Resupply Protocol Suffers $9.5 Million Price Oracle Manipulation Exploit → Security

A close-up view presents a futuristic blue metallic device, showcasing intricate mechanical and illuminated transparent components. A prominent central spherical element, glowing with intense blue light, connects to the main structure via clear tubes, suggesting dynamic internal processes

A white, glossy sphere with silver metallic accents is encircled by a smooth white ring, set against a dark grey background. Dynamic, translucent blue fluid-like structures surround and interact with the central sphere and ring, suggesting energetic movement

Briefing

The Resupply Protocol, a stablecoin issuer, experienced a critical security incident resulting in a loss of approximately $9.5 million. The exploit stemmed from a sophisticated price oracle manipulation, where an attacker artificially inflated the value of a wrapped token (cvcrvUSD) through a “donation attack” within a newly deployed ERC-4626 vault. This allowed the attacker to borrow a substantial amount of the protocol’s native reUSD stablecoins against negligible collateral, effectively draining the liquidity pool. The incident highlights the inherent risks in complex DeFi architectures and the critical need for robust validation mechanisms.

A bright white sphere is surrounded by numerous shimmering blue crystalline cubes, forming a central, intricate mass. White, smooth, curved conduits and thin dark filaments emanate from this core, weaving through a blurred background of similar blue and white elements

Context

Prior to this incident, the DeFi ecosystem has seen a persistent pattern of exploits targeting vulnerabilities in price oracles and unaudited or newly deployed smart contracts. Protocols often rely on external price feeds or internal calculations that can be manipulated in low-liquidity markets, creating a significant attack surface. The use of ERC-4626 vaults, while standardizing tokenized vaults, can introduce risks if not implemented with robust exchange rate validation, especially when combined with floor division logic.

The image displays a detailed view of a sophisticated, futuristic mechanism, predominantly featuring metallic silver components and translucent blue elements with intricate, bubbly textures. A prominent central lens and a smaller secondary lens are visible, alongside other circular structures and a slotted white panel on the left, suggesting advanced data capture and processing capabilities

Analysis

The attack on Resupply Protocol specifically targeted the wstUSR market. The attacker initiated the exploit by taking a flash loan of $4,000 USDC, then executed a “donation attack” by sending a small amount of crvUSD to the cvcrvUSD token’s vault. This artificially inflated its share price due to low liquidity.

The Resupply smart contract, which used this manipulated cvcrvUSD price in its exchange rate calculations and a floor division flaw, effectively rounded the collateral value down to zero. This allowed the attacker to borrow approximately 10 million reUSD stablecoins with only 1 wei of cvcrvUSD as collateral, bypassing solvency checks, before swapping the stolen funds for other assets and moving them through Tornado Cash.

The image displays a close-up of a complex mechanical device, featuring a central metallic core with intricate details, encased in a transparent, faceted blue material, and partially covered by a white, frothy substance. A large, circular metallic component with a lens-like center is prominently positioned, suggesting an observation or interaction point

Parameters

Protocol Targeted → Resupply Protocol
Attack Vector → Price Oracle Manipulation (Donation Attack, Floor Division Flaw)
Financial Impact → $9.5 Million
Vulnerable Component → wstUSR market / ERC-4626 vault
Exploited Token → cvcrvUSD (wrapped crvUSD)
Attacker Funding → Flash Loan from Morpho, Tornado Cash
Blockchain → Ethereum (EVM)

A contemporary office space is depicted with its floor partially submerged in reflective water and covered by mounds of white, granular material resembling snow or foam. Dominating the midground are two distinct, large circular forms: one a transparent, multi-layered ring structure, and the other a solid, textured blue disc

Outlook

Users of similar stablecoin protocols should exercise caution and verify the robustness of price oracles, especially those relying on internal calculations or low-liquidity markets. Protocols must implement rigorous input validation and comprehensive audits for newly deployed contracts, particularly those utilizing ERC-4626 standards, to prevent donation attacks and floor division vulnerabilities. This incident underscores the necessity for multi-layered security checks beyond basic collateral ratios, potentially leading to new best practices for vault and oracle design in DeFi.

A stark white, cube-shaped module stands prominently with one side open, exposing a vibrant, glowing blue internal matrix of digital components. Scattered around the central module are numerous similar, out-of-focus structures, suggesting a larger interconnected system

Verdict

The Resupply Protocol exploit serves as a critical reminder that even established DeFi components, when integrated without meticulous validation of exchange rate mechanics, remain susceptible to sophisticated price manipulation attacks, necessitating continuous security innovation.

Signal Acquired from → forklog.com