Decentralized stablecoin protocol Resupply was earlier this week exploited for $9.6 million in a sophisticated attack leveraging a critical vulnerability in its smart contract design.
According to Yu Xian, founder of blockchain security firm SlowMist, the attacker exploited an interest rate inflation loophole by interacting maliciously with a new vault’s Controller contract.
Specifically, the attacker donated assets to the Controller, which artificially manipulated the internal exchangeRate variable to zero.
The bypassed the platform’s collateral verification mechanism, effectively allowing the attacker to borrow a large volume of reUSD while posting virtually no real collateral, just 1 wei.
Attack Method Exploited Zero Collateral Loophole with Precise Manipulation
This exploit represents a textbook example of an interest rate inflation vulnerability.
The attacker manipulated the protocol’s core logic, which governs how collateral and loans are balanced based on exchange rates.
By setting the exchange rate to zero through carefully timed donations, they rendered the platform incapable of verifying whether adequate collateral existed for borrowing.
The loophole allowed the attacker to withdraw massive sums of reUSD using negligible input.
The flaw exposes a significant shortfall in Resupply’s smart contract auditing process, where unchecked manipulation of core parameters opened the door for catastrophic financial losses.
Also Read: Nervos Network Faces Major Hack as Bridge Exploit Results in Over $3 Million in Stolen Assets
Stolen Funds Converted to ETH and Laundered Through Tornado Cash
Following the exploit, the attacker quickly converted the stolen reUSD into ETH, amassing a total value of approximately $9.5 million.
The attacker then obscured their transaction trail by using Tornado Cash, a well-known Ethereum-based privacy tool often utilized for money laundering in crypto exploits.
Blockchain tracking services have identified two addresses associated with the attacker’s activity 0x3112…4928a and 0x886f…2e16.
These funds have since been scattered across multiple wallets, significantly complicating any efforts to trace or recover the stolen assets.
Also Read: Thala Protocol Suffers Major Hack, THL Price Crashed Over 50%
Security Teams Monitor Fallout as Community Awaits Official Response
The SlowMist team, alongside other blockchain security groups such as MistTrack, has confirmed that monitoring efforts are ongoing as the situation unfolds.
While the core Resupply protocol remains technically functional, the breach has severely undermined user trust and investor confidence.
The Resupply development team has not yet issued a detailed postmortem or recovery plan, leaving the community in suspense regarding future compensation or security upgrades.
With over $9 million in losses and severe questions raised about the protocol’s resilience, Resupply faces a critical inflection point in its operational and reputational future.
