Resupply Protocol Suffers $9.5 Million Price Oracle Manipulation Exploit ∞ Security

A close-up view presents a futuristic blue metallic device, showcasing intricate mechanical and illuminated transparent components. A prominent central spherical element, glowing with intense blue light, connects to the main structure via clear tubes, suggesting dynamic internal processes

A textured, white sphere is centrally positioned, encased by a protective structure of translucent blue and metallic silver bars. The intricate framework surrounds the sphere, highlighting its secure containment within a sophisticated digital environment

Briefing

The Resupply Protocol, a stablecoin issuer, experienced a critical security incident resulting in a loss of approximately $9.5 million. The exploit stemmed from a sophisticated price oracle manipulation, where an attacker artificially inflated the value of a wrapped token (cvcrvUSD) through a “donation attack” within a newly deployed ERC-4626 vault. This allowed the attacker to borrow a substantial amount of the protocol’s native reUSD stablecoins against negligible collateral, effectively draining the liquidity pool. The incident highlights the inherent risks in complex DeFi architectures and the critical need for robust validation mechanisms.

A bright white sphere is surrounded by numerous shimmering blue crystalline cubes, forming a central, intricate mass. White, smooth, curved conduits and thin dark filaments emanate from this core, weaving through a blurred background of similar blue and white elements

Context

Prior to this incident, the DeFi ecosystem has seen a persistent pattern of exploits targeting vulnerabilities in price oracles and unaudited or newly deployed smart contracts. Protocols often rely on external price feeds or internal calculations that can be manipulated in low-liquidity markets, creating a significant attack surface. The use of ERC-4626 vaults, while standardizing tokenized vaults, can introduce risks if not implemented with robust exchange rate validation, especially when combined with floor division logic.

A close-up view reveals transparent, tubular conduits filled with vibrant blue patterns, converging into a central, dark, finned connector. The luminous channels appear to transmit data, while the central unit suggests processing or connection within a complex system

Analysis

The attack on Resupply Protocol specifically targeted the wstUSR market. The attacker initiated the exploit by taking a flash loan of $4,000 USDC, then executed a “donation attack” by sending a small amount of crvUSD to the cvcrvUSD token’s vault. This artificially inflated its share price due to low liquidity.

The Resupply smart contract, which used this manipulated cvcrvUSD price in its exchange rate calculations and a floor division flaw, effectively rounded the collateral value down to zero. This allowed the attacker to borrow approximately 10 million reUSD stablecoins with only 1 wei of cvcrvUSD as collateral, bypassing solvency checks, before swapping the stolen funds for other assets and moving them through Tornado Cash.

A stark white, cube-shaped module stands prominently with one side open, exposing a vibrant, glowing blue internal matrix of digital components. Scattered around the central module are numerous similar, out-of-focus structures, suggesting a larger interconnected system

Parameters

Protocol Targeted ∞ Resupply Protocol
Attack Vector ∞ Price Oracle Manipulation (Donation Attack, Floor Division Flaw)
Financial Impact ∞ $9.5 Million
Vulnerable Component ∞ wstUSR market / ERC-4626 vault
Exploited Token ∞ cvcrvUSD (wrapped crvUSD)
Attacker Funding ∞ Flash Loan from Morpho, Tornado Cash
Blockchain ∞ Ethereum (EVM)

A futuristic, multi-segmented white device with visible internal components and solar panels is partially submerged in turbulent blue water. The water actively splashes around the device, creating numerous bubbles and visible ripples across the surface

Outlook

Users of similar stablecoin protocols should exercise caution and verify the robustness of price oracles, especially those relying on internal calculations or low-liquidity markets. Protocols must implement rigorous input validation and comprehensive audits for newly deployed contracts, particularly those utilizing ERC-4626 standards, to prevent donation attacks and floor division vulnerabilities. This incident underscores the necessity for multi-layered security checks beyond basic collateral ratios, potentially leading to new best practices for vault and oracle design in DeFi.

A translucent, multi-faceted crystalline form, reminiscent of a diamond or a water droplet, is cradled by several smooth, white concentric bands. This core element rests upon an elaborate blue printed circuit board, densely populated with hexagonal components and intricate traces, evoking a sophisticated technological ecosystem

Verdict

The Resupply Protocol exploit serves as a critical reminder that even established DeFi components, when integrated without meticulous validation of exchange rate mechanics, remain susceptible to sophisticated price manipulation attacks, necessitating continuous security innovation.

Signal Acquired from ∞ forklog.com