Resupply Protocol Suffers $9.5 Million Price Oracle Manipulation Exploit ∞ Security

A striking abstract visual features a translucent blue block, appearing crystalline or ice-like, encapsulating a soft, white, textured mass. A sharp, white, needle-like object with a small black eye precisely pierces both the blue block and the white interior

A detailed perspective showcases sophisticated metallic gears and bearings, intricately positioned within a clear, fluid-filled enclosure. The vibrant blue liquid, teeming with numerous small bubbles, circulates around these precisely engineered components, highlighting their operational interaction

Briefing

The Resupply Protocol, a stablecoin issuer, experienced a critical security incident resulting in a loss of approximately $9.5 million. The exploit stemmed from a sophisticated price oracle manipulation, where an attacker artificially inflated the value of a wrapped token (cvcrvUSD) through a “donation attack” within a newly deployed ERC-4626 vault. This allowed the attacker to borrow a substantial amount of the protocol’s native reUSD stablecoins against negligible collateral, effectively draining the liquidity pool. The incident highlights the inherent risks in complex DeFi architectures and the critical need for robust validation mechanisms.

The image displays granular blue and white material flowing through transparent, curved channels, interacting with metallic components and a clear sphere. A mechanical claw-like structure holds a white disc, while a thin rod with a small sphere extends over the white granular substance

Context

Prior to this incident, the DeFi ecosystem has seen a persistent pattern of exploits targeting vulnerabilities in price oracles and unaudited or newly deployed smart contracts. Protocols often rely on external price feeds or internal calculations that can be manipulated in low-liquidity markets, creating a significant attack surface. The use of ERC-4626 vaults, while standardizing tokenized vaults, can introduce risks if not implemented with robust exchange rate validation, especially when combined with floor division logic.

A white, glossy sphere with silver metallic accents is encircled by a smooth white ring, set against a dark grey background. Dynamic, translucent blue fluid-like structures surround and interact with the central sphere and ring, suggesting energetic movement

Analysis

The attack on Resupply Protocol specifically targeted the wstUSR market. The attacker initiated the exploit by taking a flash loan of $4,000 USDC, then executed a “donation attack” by sending a small amount of crvUSD to the cvcrvUSD token’s vault. This artificially inflated its share price due to low liquidity.

The Resupply smart contract, which used this manipulated cvcrvUSD price in its exchange rate calculations and a floor division flaw, effectively rounded the collateral value down to zero. This allowed the attacker to borrow approximately 10 million reUSD stablecoins with only 1 wei of cvcrvUSD as collateral, bypassing solvency checks, before swapping the stolen funds for other assets and moving them through Tornado Cash.

The image features several sophisticated metallic and black technological components partially submerged in a translucent, effervescent blue liquid. These elements include a camera-like device, a rectangular module with internal blue illumination, and a circular metallic disc, all rendered with intricate detail

Parameters

Protocol Targeted ∞ Resupply Protocol
Attack Vector ∞ Price Oracle Manipulation (Donation Attack, Floor Division Flaw)
Financial Impact ∞ $9.5 Million
Vulnerable Component ∞ wstUSR market / ERC-4626 vault
Exploited Token ∞ cvcrvUSD (wrapped crvUSD)
Attacker Funding ∞ Flash Loan from Morpho, Tornado Cash
Blockchain ∞ Ethereum (EVM)

A white, circuit-patterned cylinder, suggestive of a data conduit, is centrally positioned, passing through a dense, blue-lit toroidal structure. This intricate structure is composed of countless interconnected metallic blocks, radiating a digital glow

Outlook

Users of similar stablecoin protocols should exercise caution and verify the robustness of price oracles, especially those relying on internal calculations or low-liquidity markets. Protocols must implement rigorous input validation and comprehensive audits for newly deployed contracts, particularly those utilizing ERC-4626 standards, to prevent donation attacks and floor division vulnerabilities. This incident underscores the necessity for multi-layered security checks beyond basic collateral ratios, potentially leading to new best practices for vault and oracle design in DeFi.

A stark white, cube-shaped module stands prominently with one side open, exposing a vibrant, glowing blue internal matrix of digital components. Scattered around the central module are numerous similar, out-of-focus structures, suggesting a larger interconnected system

Verdict

The Resupply Protocol exploit serves as a critical reminder that even established DeFi components, when integrated without meticulous validation of exchange rate mechanics, remain susceptible to sophisticated price manipulation attacks, necessitating continuous security innovation.

Signal Acquired from ∞ forklog.com