Stablecoin Protocol Resupply Drained by ERC-4626 Price Manipulation Flaw → Security

A close-up view reveals an intricate white and dark blue mechanical structure, with a central white component surrounded by detailed blue segments emitting electric blue light. The structure appears to be part of a larger, interconnected system, with additional blurred units extending into the background

A transparent, cylindrical apparatus with internal blue elements and metallic supports is partially covered in white foam, suggesting active processing. The image showcases a complex system, highlighting its intricate internal workings and external activity, providing a glimpse into its operational state

Briefing

The Resupply stablecoin protocol suffered a critical $9.5 million exploit targeting its newly deployed lending market. The primary consequence is a significant bad debt accrual and a collapse of investor confidence in the protocol’s fundamental solvency. This was achieved through a donation attack that manipulated the price-per-share calculation in an empty ERC-4626 vault, allowing the attacker to borrow approximately $10 million in reUSD using negligible collateral. The total value lost from the wstUSR market is confirmed to be $9.5 million.

The image displays a detailed, angled view of a high-tech device, predominantly in deep blue and metallic silver. A central, transparent circular module contains numerous small, clear bubbles in a swirling pattern, embedded within the device's robust housing

Context

The prevailing attack surface in the DeFi lending sector remains logic flaws in asset valuation and oracle-like mechanisms, particularly within new deployments. This incident leveraged the known risk associated with the ERC-4626 standard’s initial state, where an empty vault is susceptible to price-per-share manipulation before equilibrium is established. The exploit occurred shortly after the new market’s DAO governance approval, indicating a critical lapse in pre-deployment security checks.

A complex, star-shaped metallic mechanism, featuring four radial arms with circular terminals, sits at the center of a luminous blue, segmented ring. Delicate, web-like frosty structures cling to the metallic components and translucent blue elements, suggesting an advanced state or intricate interconnections within a sophisticated system

Analysis

The attack targeted the ResupplyPair smart contract, specifically its reliance on the vault’s balanceOf function for exchange rate calculation. The attacker used a small donation of crvUSD to artificially inflate the price-per-share of the newly deployed, empty cvcrvUSD vault. By minting a minimal amount of shares (1 wei) at this inflated price, the attacker tricked the protocol into valuing this collateral at millions of dollars. This price distortion allowed the threat actor to bypass the protocol’s solvency checks and borrow $10 million in the native stablecoin reUSD , which was immediately swapped for WETH and USDC.

A transparent vessel filled with vibrant blue liquid and numerous effervescent bubbles rests within a meticulously crafted metallic and dark blue housing. The dynamic interplay of the fluid and bubbles visually articulates complex operational processes, suggesting contained, high-performance activity

Parameters

Total Loss Value → $9.5 Million (The total value of assets drained from the protocol)
Vulnerable Component → ERC-4626 Vault (The newly deployed vault standard used for asset tracking)
Exploit Method → Donation Attack (Manipulating the initial share price of an empty vault)
Collateral Used → 1 Wei of Shares (The negligible amount of shares used to borrow $10M)

A detailed close-up reveals an advanced, interconnected mechanism composed of transparent cylindrical structures and deep blue components, adorned with effervescent bubbles. The interplay of light and shadow on the reflective surfaces highlights the intricate engineering and dynamic state

Outlook

Immediate mitigation requires all protocols utilizing ERC-4626 vaults to implement virtual share mechanisms or offset functions to prevent price-per-share manipulation at deployment. The second-order effect is a renewed focus on “donation attack” vectors, especially in low-liquidity or newly launched markets, increasing contagion risk for similar lending protocols. This incident establishes a new best practice → mandating a non-zero initial deposit or a robust check against zero-balance vaults, even post-audit.

A close-up view reveals a transparent blue module, resembling a core blockchain protocol component, interacting with a bubbly, agitated liquid. Its visible internal mechanisms suggest an active transaction execution engine, while metallic rings could represent critical staking pool gateways or oracle network feeds

Verdict

The Resupply exploit is a definitive case study demonstrating how a known ERC-4626 initialization flaw can be weaponized to bypass fundamental DeFi lending solvency checks.

Stablecoin protocol, price manipulation attack, ERC-4626 vault, donation attack, floor division flaw, exchange rate distortion, negligible collateral, smart contract logic, vault accounting, systemic risk, defi lending, collateralized debt position, asset valuation, governance approval Signal Acquired from → medium.com