ReSupply, a decentralized finance (DeFi) lending protocol, has fallen victim to a severe exploit that led to an estimated $9.6 million in crypto losses.
The attack was identified a suspicious transaction linked to a flaw in the protocol’s smart contract logic.
Specifically, the attacker manipulated the exchange rate within the wstUSR market of ReSupply, allowing them to borrow an excessive amount of reUSD with negligible collateral.
ReSupply has since confirmed the exploit and paused all affected contracts to prevent further damage, while promising a comprehensive post-mortem analysis in the coming days.
Exploit Originated from Manipulation of cvcrvUSD Conversion Rates
At the core of the exploit was the manipulation of the cvcrvUSD vault, a crucial mechanism in ReSupply’s lending structure.
The attacker initiated the breach by donating 2,000 crvUSD to an empty vault, which inflated the conversion rate after minting a minuscule share using only about 2 crvUSD.
The inflation tricked the protocol’s lending pool into calculating an exchange rate of zero due to floor division, effectively bypassing the loan-to-value (LTV) safety checks.
Using just 1 wei worth of cvcrvUSD as collateral, the attacker managed to borrow roughly 10 million reUSD.
The sophisticated tactic demonstrates the importance of implementing robust mathematical validations in smart contracts.
Also Read: Cointelegraph Front-End Hacked, Warns Users After Fake Airdrop Scam
Attacker Launders Funds via Tornado Cash and Splits Across Addresses
After successfully draining the funds, the attacker swiftly laundered the stolen assets by converting them into ETH and routing them through Tornado Cash, a popular crypto privacy tool used to obfuscate the origin of transactions.
The ETH was subsequently distributed across two separate wallet addresses, complicating tracking and recovery efforts.
The use of Tornado Cash, though not uncommon in DeFi exploits, raises ongoing concerns about how privacy protocols are being leveraged to facilitate illicit activity in the decentralized space.
Investigations are ongoing, and the ReSupply team is collaborating with security experts to trace the assets and assess the full extent of the breach.
Also Read: Breaking: Venus Protocol on BNB Chain Faces $2 Million Crypto Hack
Protocol Remains Operational, But Trust and Security Now in Question
While ReSupply has stated that the exploit was limited to the wstUSR market and that the rest of the protocol remains operational, the attack has cast a shadow over its overall security integrity.
Users and investors are now demanding increased transparency and faster deployment of audited updates to avoid future vulnerabilities.
As DeFi continues to grow, incidents like this underline the urgent need for proactive risk assessments and more dynamic on-chain monitoring systems.
The platform’s ability to respond swiftly and deliver a thorough technical report will be crucial in regaining user trust and market confidence.
Broader Context: A String of Major Hacks Hits the Crypto Sector
ReSupply’s incident is the latest in a troubling series of major hacks plaguing the crypto ecosystem.
Nervos Network recently lost over $3 million in a cross-chain bridge exploit, again with funds funneled through Tornado Cash.
Taiwan-based exchange BitoPro suffered an $11 million hack during a system upgrade but managed to recover the funds swiftly.
Meanwhile, Mask Network founder Suji Yan lost $4 million after what is suspected to be a private key compromise.
These consecutive breaches highlight systemic security flaws across DeFi platforms, exchanges, and wallets, emphasizing the need for tighter smart contract auditing.
Also there are improved private key management, and real-time threat detection across all layers of the crypto infrastructure.
Also Read: Fuzzland Reveals Former Employee Was Responsible for the $2 Million Bedrock UniBTC Crypto Hack