Shocking $9.5M Heist Rocks Resupply: A Deep Dive into the Crypto Caper

The Heist Unfolds

Buckle up, crypto fans! In a daring move straight out of a cyber thriller, an attacker pulled off a slick maneuver, manipulating token prices and siphoning off a cool $9.5 million from the Resupply stablecoin protocol. This wasn't just any hack; it was a masterclass in exploiting exchange rate vulnerabilities!

Alarm Bells Ring

The heist was first spotted on June 25 by eagle-eyed security buffs at BlockSec Phalcon, who caught wind of a shady transaction that led to the massive loss. Resupply's team hit the panic button on X, pausing the compromised smart contract and confirming that only the wstUSR market took the hit. They're diving deep into a post-mortem, promising to keep the core protocol chugging along while they figure out what went wrong.

Unpacking the Scheme

Hold onto your hats because this is where it gets juicy! Resupply got hit in its wstUSR market, but the team was quick to isolate the affected contract. Security gurus are still piecing together the puzzle, but early buzz suggests it was a classic case of price manipulation in a low-liquidity market. The target? cvcrvUSD, a wrapped version of Curve DAO's crvUSD token, all cozy with Convex Finance.

The Cunning Play

Here's where the plot thickens: the attacker played a sneaky game, sending tiny donations to pump up the share price of cvcrvUSD. Why? Because Resupply's exchange rate formula was dancing to the tune of this inflated price, setting the stage for a perfect storm. With just one wei of cvcrvUSD as collateral, the attacker borrowed a whopping 10 million reUSD, Resupply's own stablecoin. Then, like a thief in the night, they swapped the loot into other assets on external markets, leaving Resupply $9.5 million lighter.

The Weak Link

Digging deeper, investigators found the Achilles' heel: an empty ERC4626 wrapper, moonlighting as a price oracle in the CurveLend pair. This little oversight let the attacker spike the cvcrvUSD price with just two crvUSD, sidestepping the usual collateral demands like a pro.

A Growing Menace

This isn't the first rodeo for price manipulation attacks in 2025. Remember Meta Pool and the GMX/MIM Spell ecosystem? Both got blindsided by similar tricks, thanks to oracle vulnerabilities and token price games in low-liquidity pools. It's a wild west out there, with attackers using weak pricing and flash loans to hit DeFi systems where it hurts, even if they pass those fancy security audits.

What's Next for Resupply?

As the dust settles, Resupply's team is keeping their cards close to their chest. Will they make users whole? Are recovery ops in the works? Stay tuned, because in the fast-paced world of crypto, the only thing you can count on is the next big twist!