Attacker drains over $9 million from Resupply stablecoin protocol after manipulating token price

Stablecoin protocol Resupply was exploited for around $9.5 million through a market manipulation of exchange rates, according to security analysts.

Resupply is a stablecoin protocol that leverages the liquidity and stability of lending markets.

The exploit centered on cvcrvUSD, a wrapped version of Curve USD (crvUSD) staked in Convex Finance. Analysts said the attacker artificially inflated the price of cvcrvUSD by sending donations, which caused its share price to spike.

“The hacker exploited the cvcrvUSD vault, allowing the attacker to borrow $10 million in reUSD with only 1 wei of share as collateral,” said Xuxian Jiang, founder and CEO of PeckShield.

Resupply’s smart contract, known as ResupplyPair (CurveLend: crvUSD/wstUSR), used this inflated cvcrvUSD price in its exchange rate calculations. As a result, the rate crashed, noted security analysts.

The attacker took advantage of this price distortion by invoking the borrow function in the ResupplyPair contract. This allowed them to borrow 10 million reUSD (Resupply's native stablecoin) using only one wei of cvcrvUSD as collateral.

The missing funds originated from the wstUSR market, which the attacker exploited through borrowing, explained analysts at Blocksec.

Analysts added that the attacker later converted the borrowed reUSD into other assets on external markets for profit.

Resupply confirmed the exploit and said the affected contract has been identified and paused.