Security

Resupply Protocol Suffers $9.5 Million Price Oracle Manipulation Exploit

Price oracle manipulation via ERC-4626 vault's floor division flaw enabled $9.5M drain from Resupply Protocol.
September 20, 20253 min

A white spherical module with a clear lens is positioned centrally, surrounded by numerous blue, faceted crystal-like structures. The sphere has segmented panels with glowing blue lines, while the blue crystals reflect light, creating a sense of depth and complexity
A transparent, flowing conduit connects to a metallic interface, which is securely plugged into a blue, rectangular device. This device is mounted on a dark, textured base, secured by visible screws, suggesting a robust and precise engineering

Briefing

The Resupply Protocol, a stablecoin issuer, experienced a critical security incident resulting in a loss of approximately $9.5 million. The exploit stemmed from a sophisticated price oracle manipulation, where an attacker artificially inflated the value of a wrapped token (cvcrvUSD) through a “donation attack” within a newly deployed ERC-4626 vault. This allowed the attacker to borrow a substantial amount of the protocol’s native reUSD stablecoins against negligible collateral, effectively draining the liquidity pool. The incident highlights the inherent risks in complex DeFi architectures and the critical need for robust validation mechanisms.

A detailed perspective showcases sophisticated metallic gears and bearings, intricately positioned within a clear, fluid-filled enclosure. The vibrant blue liquid, teeming with numerous small bubbles, circulates around these precisely engineered components, highlighting their operational interaction

Context

Prior to this incident, the DeFi ecosystem has seen a persistent pattern of exploits targeting vulnerabilities in price oracles and unaudited or newly deployed smart contracts. Protocols often rely on external price feeds or internal calculations that can be manipulated in low-liquidity markets, creating a significant attack surface. The use of ERC-4626 vaults, while standardizing tokenized vaults, can introduce risks if not implemented with robust exchange rate validation, especially when combined with floor division logic.

A sophisticated translucent blue component, appearing as crystallized liquid, is intricately integrated with polished silver and dark metallic elements. A central embedded lens-like sphere, reflecting deep blue light, forms a focal point within this complex assembly

Analysis

The attack on Resupply Protocol specifically targeted the wstUSR market. The attacker initiated the exploit by taking a flash loan of $4,000 USDC, then executed a “donation attack” by sending a small amount of crvUSD to the cvcrvUSD token’s vault. This artificially inflated its share price due to low liquidity.

The Resupply smart contract, which used this manipulated cvcrvUSD price in its exchange rate calculations and a floor division flaw, effectively rounded the collateral value down to zero. This allowed the attacker to borrow approximately 10 million reUSD stablecoins with only 1 wei of cvcrvUSD as collateral, bypassing solvency checks, before swapping the stolen funds for other assets and moving them through Tornado Cash.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Parameters

  • Protocol Targeted → Resupply Protocol
  • Attack VectorPrice Oracle Manipulation (Donation Attack, Floor Division Flaw)
  • Financial Impact → $9.5 Million
  • Vulnerable ComponentwstUSR market / ERC-4626 vault
  • Exploited TokencvcrvUSD (wrapped crvUSD)
  • Attacker Funding → Flash Loan from Morpho, Tornado Cash
  • Blockchain → Ethereum (EVM)

A luminous blue faceted crystal stands prominently amidst soft white cloud-like textures. A translucent blue shard is partially visible on the left, also embedded in the ethereal substance

Outlook

Users of similar stablecoin protocols should exercise caution and verify the robustness of price oracles, especially those relying on internal calculations or low-liquidity markets. Protocols must implement rigorous input validation and comprehensive audits for newly deployed contracts, particularly those utilizing ERC-4626 standards, to prevent donation attacks and floor division vulnerabilities. This incident underscores the necessity for multi-layered security checks beyond basic collateral ratios, potentially leading to new best practices for vault and oracle design in DeFi.

A futuristic white and metallic device, with internal blue glowing components, is expelling a thick cloud of white smoke infused with blue light from its front. The device rests on a dark, patterned surface resembling a circuit board

Verdict

The Resupply Protocol exploit serves as a critical reminder that even established DeFi components, when integrated without meticulous validation of exchange rate mechanics, remain susceptible to sophisticated price manipulation attacks, necessitating continuous security innovation.

Signal Acquired from → forklog.com

Micro Crypto News Feeds

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

flash loan

Definition ∞ A flash loan is a type of uncollateralized loan that must be borrowed and repaid within a single transaction block on a blockchain.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

price oracle

Definition ∞ A price oracle is a digital service that provides external price data to smart contracts on a blockchain.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: