Resupply Protocol Suffers $9.5 Million Hack Due to Exchange Rate Vulnerability

The Resupply protocol for stablecoins has suffered a loss of approximately $9.5 million due to a hacking incident. The attacker exploited a vulnerability in the exchange rate calculation system.

The project team has confirmed the incident, stating that the compromised smart contract has been identified and suspended.

The perpetrator artificially inflated the price of the token cvcrvUSD, which is a wrapped version of crvUSD that has been staked in Convex Finance. This was accomplished by sending «donations» to the asset’s vault, resulting in a significant surge in its value.

According to data from OKX Explorer, the Resupply smart contract utilized this inflated cvcrvUSD price in its calculations. This allowed the hacker to borrow 10 million native stablecoins, reUSD, by using just 1 wei of cvcrvUSD as collateral.

BlockSec analysts noted that the stolen funds were withdrawn from the wstUSR market through a borrowing function.

Subsequently, the hacker exchanged the stolen reUSD for other assets on external platforms to realize profits.

It’s worth mentioning that on June 18, hackers breached the Iranian exchange Nobitex, stealing $100 million and revealing the platform’s source code.

Later, the L2 protocol zkLend, built on Starknet, announced its closure following a hacking attack and the delisting of its LEND token from major exchanges.