Security

Resupply Protocol Suffers $9.5 Million Price Oracle Manipulation Exploit

Price oracle manipulation via ERC-4626 vault's floor division flaw enabled $9.5M drain from Resupply Protocol.
September 20, 20253 min

The image showcases a series of transparent, bulbous containers partially filled with a textured, deep blue substance, interconnected by slender metallic wires and capped with cylindrical silver components. The foreground elements are sharply focused, while the background blurs into a soft grey, emphasizing the intricate central arrangement
A white, circuit-patterned cylinder, suggestive of a data conduit, is centrally positioned, passing through a dense, blue-lit toroidal structure. This intricate structure is composed of countless interconnected metallic blocks, radiating a digital glow

Briefing

The Resupply Protocol, a stablecoin issuer, experienced a critical security incident resulting in a loss of approximately $9.5 million. The exploit stemmed from a sophisticated price oracle manipulation, where an attacker artificially inflated the value of a wrapped token (cvcrvUSD) through a “donation attack” within a newly deployed ERC-4626 vault. This allowed the attacker to borrow a substantial amount of the protocol’s native reUSD stablecoins against negligible collateral, effectively draining the liquidity pool. The incident highlights the inherent risks in complex DeFi architectures and the critical need for robust validation mechanisms.

The image displays a detailed, close-up view of a complex, segmented structure made of metallic silver and bright blue components. These intricate parts are interconnected, forming a dense, technological assembly against a blurred light background

Context

Prior to this incident, the DeFi ecosystem has seen a persistent pattern of exploits targeting vulnerabilities in price oracles and unaudited or newly deployed smart contracts. Protocols often rely on external price feeds or internal calculations that can be manipulated in low-liquidity markets, creating a significant attack surface. The use of ERC-4626 vaults, while standardizing tokenized vaults, can introduce risks if not implemented with robust exchange rate validation, especially when combined with floor division logic.

A sophisticated translucent blue component, appearing as crystallized liquid, is intricately integrated with polished silver and dark metallic elements. A central embedded lens-like sphere, reflecting deep blue light, forms a focal point within this complex assembly

Analysis

The attack on Resupply Protocol specifically targeted the wstUSR market. The attacker initiated the exploit by taking a flash loan of $4,000 USDC, then executed a “donation attack” by sending a small amount of crvUSD to the cvcrvUSD token’s vault. This artificially inflated its share price due to low liquidity.

The Resupply smart contract, which used this manipulated cvcrvUSD price in its exchange rate calculations and a floor division flaw, effectively rounded the collateral value down to zero. This allowed the attacker to borrow approximately 10 million reUSD stablecoins with only 1 wei of cvcrvUSD as collateral, bypassing solvency checks, before swapping the stolen funds for other assets and moving them through Tornado Cash.

A central sphere comprises numerous translucent blue and dark blue cubic elements, interconnected with several matte white spheres of varying sizes via thin wires, all partially encircled by a large white ring. The background features a blurred dark blue with soft bokeh lights, creating an abstract, deep visual field

Parameters

  • Protocol Targeted → Resupply Protocol
  • Attack VectorPrice Oracle Manipulation (Donation Attack, Floor Division Flaw)
  • Financial Impact → $9.5 Million
  • Vulnerable ComponentwstUSR market / ERC-4626 vault
  • Exploited TokencvcrvUSD (wrapped crvUSD)
  • Attacker Funding → Flash Loan from Morpho, Tornado Cash
  • Blockchain → Ethereum (EVM)

A spherical object, deep blue with swirling white patterns, is partially encased by a metallic silver, cage-like structure. This protective framework features both broad, smooth bands and intricate, perforated sections with rectangular openings

Outlook

Users of similar stablecoin protocols should exercise caution and verify the robustness of price oracles, especially those relying on internal calculations or low-liquidity markets. Protocols must implement rigorous input validation and comprehensive audits for newly deployed contracts, particularly those utilizing ERC-4626 standards, to prevent donation attacks and floor division vulnerabilities. This incident underscores the necessity for multi-layered security checks beyond basic collateral ratios, potentially leading to new best practices for vault and oracle design in DeFi.

A white spherical module with a clear lens is positioned centrally, surrounded by numerous blue, faceted crystal-like structures. The sphere has segmented panels with glowing blue lines, while the blue crystals reflect light, creating a sense of depth and complexity

Verdict

The Resupply Protocol exploit serves as a critical reminder that even established DeFi components, when integrated without meticulous validation of exchange rate mechanics, remain susceptible to sophisticated price manipulation attacks, necessitating continuous security innovation.

Signal Acquired from → forklog.com

Micro Crypto News Feeds

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

flash loan

Definition ∞ A flash loan is a type of uncollateralized loan that must be borrowed and repaid within a single transaction block on a blockchain.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: