Stablecoin platform Resupply suffered a significant exploit price $9.5 million after an attacker manipulated the worth of a key collateral token, safety corporations reported.
Key Takeaways:
- Resupply misplaced $9.5 million after an attacker manipulated the worth of cvcrvUSD to borrow reUSD cheaply.
- The exploit exploited defective worth logic within the CurveLend contract utilized by ResupplyPair.
- Resupply paused the affected contract and is investigating the breach, with a full autopsy pending.
The assault focused cvcrvUSD, a wrapped model of Curve USD (crvUSD) staked on Convex Finance. By sending donations to the cvcrvUSD vault, the attacker inflated the token’s share worth.
This inflated worth was then used as collateral to borrow Resupply’s native stablecoin, reUSD, at a extremely favorable trade price.
Resupply Exploit Linked to Manipulated Worth Feed in CurveLend Contract
The Resupply good contract concerned, ResupplyPair (CurveLend: crvUSD/wstUSR), used the manipulated cvcrvUSD worth in its calculations.
As soon as the attacker borrowed the reUSD, the manipulated trade price collapsed, triggering a significant devaluation of the protocol’s reserves.
Analysts at Blocksec famous that the attacker primarily drained funds from the wstUSR market by exploiting the flawed worth logic within the borrowing operate.
The stolen reUSD was then swiftly transformed into different crypto belongings on exterior markets.
“Consequently, the attacker borrowed large reUSD with simply 1 wei of cvcrvUSD as collateral, bypassing the insolvency verify,” Blocksec wrote on X.
Resupply acknowledged the breach in a press release and confirmed that the compromised contract has been paused. The group is investigating the incident and has not but confirmed any restoration plans.
“A full autopsy will probably be shared as quickly as an entire evaluation of the scenario has been performed,” the group wrote.
Resupply won’t publish any hyperlinks after this tweet. Hyperlinks beneath this tweet that appear like Resupply are spam, faux or phishing hyperlinks. Don’t click on any hyperlink underneath this tweet. pic.twitter.com/FExOvng40U
— Resupply (@ResupplyFi) June 26, 2025
Fuzzland Reveals $2M Insider Exploit on Bedrock’s UniBTC Protocol
On Wednesday, Fuzzland disclosed {that a} $2 million exploit concentrating on Bedrock’s UniBTC protocol in September 2024 was carried out by a former worker posing as an MEV developer.
The attacker used social engineering, inserted malware through a trojanized Rust crate, and maintained undetected entry to engineering methods for over three weeks.
The breach culminated within the UniBTC protocol being exploited shortly after Fuzzland mentioned a safety vulnerability.
Notably, within the first three months of 2025, the crypto ecosystem misplaced a whopping $1,635,933,800 throughout 39 incidents, in accordance with the blockchain safety platform Immunefi.
Most of that was the results of solely two hacks of two centralized exchanges. Phemex suffered a $69.1 million loss in January, whereas Bybit misplaced $1.46 billion in February.
Subsequently, the entire variety of losses within the first quarter marks a 4.7x improve in comparison with Q1 2024. At the moment, hackers and fraudsters stole $348,251,217.
Notably, specialists assume that the notorious North Korean Lazarus Group is behind the 2 largest assaults. They stole $1.52 billion, or 94% of complete losses.
The publish Stablecoin Protocol Resupply Exploited for $9.5M After Attacker Inflates Token Worth appeared first on Cryptonews.