The decentralized finance stablecoin protocol Resupply has fallen victim to a massive hack. As a result of the attack, the perpetrators managed to withdraw assets totaling approximately $9.5 million, which is equivalent to $9.6 million by some estimates.
This is reported by Finway
Incident Details and Team Response
Resupply developers confirmed the hack and temporarily halted operations on the affected market. According to an official statement, the exploit only affected one market — the wstUSR market. The vulnerability in the smart contract has been identified and isolated, but the team plans to publish a full report on the incident after the investigation is completed.
Resupply experienced an exploit in the wstUSR market. The affected contract has been identified and suspended. Only the wstUSR market was impacted, and the protocol continues to function as intended. A full post-mortem will be published once a complete analysis has been conducted..
Attack Mechanism and Consequences for the Protocol
Security experts explained that the hacker exploited a vulnerability through manipulation of the cvcrvUSD price, using a donation mechanism to artificially inflate the rate. This caused the exchangeRate to drop to zero, allowing the attacker to obtain a significant amount of reUSD tokens with collateral of just 1 wei. Subsequently, the assets were withdrawn and converted to Ethereum, after which they were distributed between two addresses. The funding for the attack was facilitated through the Tornado Cash mixer.
As a result of the incident, the total value locked (TVL) of the protocol decreased from $135.02 million to $107.19 million, as reflected in the chart:
This case once again demonstrates the vulnerability of DeFi protocols to complex attacks based on liquidity and price oracle manipulation.