Resupply

Resupply Hack — June 25, 2025

Overview

In June 2025, Resupply lost $9.6M to a donation attack on a newly deployed, empty vault. Resupply, an on-chain lending protocol, was the victim of an approximately $9.6-$9.8 million hack.

Attack Mechanics

The attacker used a $4K flash loan to donate funds, minted 1 wei of shares, and used it as collateral to borrow the protocol's entire treasury. More specifically, the attacker took advantage of the deployment of a new crcrvUSD vault to manipulate exchange rates and drain value from the project's smart contracts.

Root Cause

The target vault was deployed only two hours before it was exploited, meaning it held negligible value. The vault was empty at deployment, making it vulnerable to price manipulation via donations. By inflating the pool with a donation before minting shares, the attacker tricked the system into assigning an overvalued price to each vault share.

After the Attack

The attacker distributed funds to two addresses. Then, these tokens were sent to Tornado Cash for laundering. The Resupply attacker deposited 1,607 ETH into Tornado Cash, equivalent to approximately $6.5 million.

Sources

• https://www.halborn.com/blog/post/explained-the-resupply-hack-june-2025

• https://www.guardrail.ai/blog/resupplyfi-hack

• https://cryptocsec.substack.com/p/hack-alert-resupply-exploit-leads

• https://quillaudits.medium.com/resupply-hack-how-a-donation-attack-led-to-9-5m-in-losses-91e4e34d3bf5

• https://medium.com/@crypto-labs/post-hack-silence-governance-failure-deconstructing-resupplys-9-6m-a338cd9a70b7

• https://decrypt.co/327148/hacker-drained-9-6-million-from-defi-stablecoin-protocol-resupply

• https://bitkan.com/learn/what-happened-to-resupply-why-was-9-5m-drained-61011