Resupply, a decentralized stablecoin protocol connected to major DeFi platforms Convex Finance and Yearn Finance, has suffered a $9.5 million exploit after an attacker manipulated the price of the cvcrvUSD token. The attacker artificially inflated the cvcrvUSD token's price through targeted donations in a low-liquidity market, which was then used as collateral to borrow nearly $10 million worth of Resupply's native stablecoin reUSD at an extremely favorable exchange rate.
The exploit took advantage of faulty price logic within the CurveLend contract, specifically the ResupplyPair contract handling cvcrvUSD and wrapped staked USD R tokens (wstUSR). Floor division rounding errors allowed the attacker to bypass solvency checks, borrowing massive amounts of reUSD against negligible collateral—only about one wei of cvcrvUSD. After borrowing, the attacker swiftly converted the stolen reUSD to USDC and wrapped Ethereum (WETH) through popular decentralized exchanges Curve and Uniswap.
Security firms including BlockSec, CertiK, Phalcon, and PeckShield investigated the breach, revealing that the attacker also used a $4,000 USDC flashloan from Morpho, and funneled funds through Tornado Cash to obfuscate trails. Resupply has paused the affected contract and is conducting a full investigation, promising to release a post-mortem after analysis.
This incident aligns with a broader pattern of growing exploits in the crypto industry, with massive losses reported in early 2025, including attacks on centralized exchanges and DeFi projects. Resupply's community and the broader DeFi ecosystem remain alert amid this upsurge in security breaches.