Stablecoin Protocol Resupply Drained by ERC-4626 Price Manipulation Flaw → Security

A partially opened, textured metallic vault structure showcases an interior teeming with dynamic blue and white cloud-like formations, representing the intricate flow of digital asset liquidity. Prominent metallic elements, including a spherical dial and concentric rings, underscore the robust cryptographic security protocols and underlying blockchain infrastructure

A white, minimalist digital asset wallet is at the core of a dynamic, abstract structure composed of sharp, blue crystalline formations. These formations, resembling fragmented geometric shapes, extend outwards, creating a sense of a vast, interconnected network

Briefing

The Resupply stablecoin protocol suffered a critical $9.5 million exploit targeting its newly deployed lending market. The primary consequence is a significant bad debt accrual and a collapse of investor confidence in the protocol’s fundamental solvency. This was achieved through a donation attack that manipulated the price-per-share calculation in an empty ERC-4626 vault, allowing the attacker to borrow approximately $10 million in reUSD using negligible collateral. The total value lost from the wstUSR market is confirmed to be $9.5 million.

A sophisticated metallic mechanism, featuring intricate gears and a modular component, is dynamically enveloped by a translucent blue substance, suggesting a state of active cooling or fluid integration. The composition highlights the precision engineering of the device against a soft, blurred grey background

Context

The prevailing attack surface in the DeFi lending sector remains logic flaws in asset valuation and oracle-like mechanisms, particularly within new deployments. This incident leveraged the known risk associated with the ERC-4626 standard’s initial state, where an empty vault is susceptible to price-per-share manipulation before equilibrium is established. The exploit occurred shortly after the new market’s DAO governance approval, indicating a critical lapse in pre-deployment security checks.

A striking X-shaped component, featuring translucent blue and reflective silver elements, is presented within a semi-transparent, fluid-like enclosure. The background subtly blurs into complementary blue and grey tones, hinting at a larger, interconnected system

Analysis

The attack targeted the ResupplyPair smart contract, specifically its reliance on the vault’s balanceOf function for exchange rate calculation. The attacker used a small donation of crvUSD to artificially inflate the price-per-share of the newly deployed, empty cvcrvUSD vault. By minting a minimal amount of shares (1 wei) at this inflated price, the attacker tricked the protocol into valuing this collateral at millions of dollars. This price distortion allowed the threat actor to bypass the protocol’s solvency checks and borrow $10 million in the native stablecoin reUSD , which was immediately swapped for WETH and USDC.

A futuristic white and blue modular technological component is prominently featured, showcasing transparent sections that reveal intricate internal circuitry and glowing blue data pathways. It connects to similar structures, suggesting a complex, interconnected system

Parameters

Total Loss Value → $9.5 Million (The total value of assets drained from the protocol)
Vulnerable Component → ERC-4626 Vault (The newly deployed vault standard used for asset tracking)
Exploit Method → Donation Attack (Manipulating the initial share price of an empty vault)
Collateral Used → 1 Wei of Shares (The negligible amount of shares used to borrow $10M)

A detailed close-up reveals a futuristic, mechanical object with a central white circular hub featuring a dark, reflective spherical lens. Numerous blue, faceted, blade-like structures radiate outwards from this central hub, creating a complex, symmetrical pattern against a soft grey background

Outlook

Immediate mitigation requires all protocols utilizing ERC-4626 vaults to implement virtual share mechanisms or offset functions to prevent price-per-share manipulation at deployment. The second-order effect is a renewed focus on “donation attack” vectors, especially in low-liquidity or newly launched markets, increasing contagion risk for similar lending protocols. This incident establishes a new best practice → mandating a non-zero initial deposit or a robust check against zero-balance vaults, even post-audit.

A polished metallic cylindrical object, characterized by its ribbed design and dark recessed sections, is partially covered by a vibrant blue, bubbly substance. The precise engineering of the component suggests a core blockchain mechanism undergoing a thorough verification process

Verdict

The Resupply exploit is a definitive case study demonstrating how a known ERC-4626 initialization flaw can be weaponized to bypass fundamental DeFi lending solvency checks.

Stablecoin protocol, price manipulation attack, ERC-4626 vault, donation attack, floor division flaw, exchange rate distortion, negligible collateral, smart contract logic, vault accounting, systemic risk, defi lending, collateralized debt position, asset valuation, governance approval Signal Acquired from → medium.com