Stablecoin Protocol Resupply Drained by ERC-4626 Price Manipulation Flaw → Security

The image displays a collection of crystalline and spherical objects arranged on a textured blue landmass, partially submerged in calm, reflective water. A large, frosted blue crystal dominates the left, accompanied by a smooth white sphere and smaller blue and white crystalline forms

A striking, metallic emblem, rendered in polished silver and deep blue, is centered against a softly blurred background of similar hues. The emblem's design showcases intricate, layered "S" forms, creating a sense of depth and interconnectedness

Briefing

The Resupply stablecoin protocol suffered a critical $9.5 million exploit targeting its newly deployed lending market. The primary consequence is a significant bad debt accrual and a collapse of investor confidence in the protocol’s fundamental solvency. This was achieved through a donation attack that manipulated the price-per-share calculation in an empty ERC-4626 vault, allowing the attacker to borrow approximately $10 million in reUSD using negligible collateral. The total value lost from the wstUSR market is confirmed to be $9.5 million.

The image displays a close-up of advanced technological components, including transparent cylindrical modules filled with a vibrant blue liquid, alongside metallic housings and a black connecting cable. These elements are arranged in an intricate, interconnected system, suggesting a sophisticated piece of machinery or infrastructure

Context

The prevailing attack surface in the DeFi lending sector remains logic flaws in asset valuation and oracle-like mechanisms, particularly within new deployments. This incident leveraged the known risk associated with the ERC-4626 standard’s initial state, where an empty vault is susceptible to price-per-share manipulation before equilibrium is established. The exploit occurred shortly after the new market’s DAO governance approval, indicating a critical lapse in pre-deployment security checks.

The image displays a close-up of a futuristic, metallic computing device with prominent blue glowing internal components. Its intricate design features brushed metal surfaces, sharp geometric forms, and transparent sections revealing illuminated conduits

Analysis

The attack targeted the ResupplyPair smart contract, specifically its reliance on the vault’s balanceOf function for exchange rate calculation. The attacker used a small donation of crvUSD to artificially inflate the price-per-share of the newly deployed, empty cvcrvUSD vault. By minting a minimal amount of shares (1 wei) at this inflated price, the attacker tricked the protocol into valuing this collateral at millions of dollars. This price distortion allowed the threat actor to bypass the protocol’s solvency checks and borrow $10 million in the native stablecoin reUSD , which was immediately swapped for WETH and USDC.

This detailed render showcases a sophisticated, spherical computing module with interlocking metallic and white composite panels. A vibrant, bubbling blue liquid sphere is integrated at the top, while a granular white-rimmed aperture reveals a glowing blue core at the front

Parameters

Total Loss Value → $9.5 Million (The total value of assets drained from the protocol)
Vulnerable Component → ERC-4626 Vault (The newly deployed vault standard used for asset tracking)
Exploit Method → Donation Attack (Manipulating the initial share price of an empty vault)
Collateral Used → 1 Wei of Shares (The negligible amount of shares used to borrow $10M)

The image displays a close-up of a futuristic, high-tech device, featuring a smooth, white, spherical component on the right. This white component interfaces with an elaborate, metallic internal mechanism that emits a bright blue glow, revealing complex circuitry and structural elements

Outlook

Immediate mitigation requires all protocols utilizing ERC-4626 vaults to implement virtual share mechanisms or offset functions to prevent price-per-share manipulation at deployment. The second-order effect is a renewed focus on “donation attack” vectors, especially in low-liquidity or newly launched markets, increasing contagion risk for similar lending protocols. This incident establishes a new best practice → mandating a non-zero initial deposit or a robust check against zero-balance vaults, even post-audit.

The image showcases a detailed abstract composition featuring metallic structures, granular blue material, and textured white spheres. A prominent hollow, crystalline sphere is positioned on a bed of blue particles, with a larger white sphere in the background

Verdict

The Resupply exploit is a definitive case study demonstrating how a known ERC-4626 initialization flaw can be weaponized to bypass fundamental DeFi lending solvency checks.

Stablecoin protocol, price manipulation attack, ERC-4626 vault, donation attack, floor division flaw, exchange rate distortion, negligible collateral, smart contract logic, vault accounting, systemic risk, defi lending, collateralized debt position, asset valuation, governance approval Signal Acquired from → medium.com