Resupply Finance Hack - June 2025 ($9.8M)
Overview
In June 2025, Resupply, an on-chain lending protocol, was the victim of a $9.8 million hack. The protocol was attacked with a donation attack on June 26, 2025, at 1:53 AM UTC.
The Attack Mechanism
The attacker took advantage of the deployment of a new crcrvUSD vault to manipulate exchange rates and drain value from the project's smart contracts. The target vault was deployed only two hours before it was exploited, meaning that it held negligible value.
An attacker initiated the exploit by taking a $4,000 flash loan in USDC from Morpho, converting it to crvUSD, and donating 2,000 crvUSD into the freshly deployed vault. Then, by depositing another 2 crvUSD, they minted just 1 wei worth of cvcrvUSD shares.
The Vulnerability
The attacker then used Resupply's smart contract to borrow 10 million reUSD, the platform's native stablecoin, with just one wei of cvcrvUSD as collateral. A flaw in the protocol's code, specifically the use of floor division, caused the exchange rate to round down to zero once the price moved past a measured threshold. With the exchange rate set to zero, the attacker was able to borrow a massive amount of Resupply's native stablecoin, reUSD, using only 1 wei of cvcrvUSD as collateral.
Aftermath
Resupply confirmed the exploit, paused the impacted wstUSR market, and said the stolen funds were laundered through Tornado Cash and split across multiple wallets.
Sources