The stablecoin protocol Resupply has suffered a loss of approximately $9.5 million due to a hack. The perpetrator exploited a vulnerability in the exchange rate calculation system.
Resupply has experienced an exploit in the wstUSR market. The affected contract has been identified and paused. Only the wstUSR market was impacted and the protocol continues to function as intended. A full post-mortem will be shared as soon as a complete analysis of the…
— Resupply (@ResupplyFi) June 26, 2025
The project team confirmed the incident, stating that the vulnerable smart contract has been identified and suspended.
The attacker artificially inflated the price of the cvcrvUSD token—a wrapped version of crvUSD staked in Convex Finance. This was achieved by sending “donations” to the asset’s vault, causing its value to spike.
According to OKX Explorer, the Resupply smart contract used the inflated cvcrvUSD price in its calculations. This allowed the attacker to borrow 10 million native reUSD stablecoins using just 1 wei of cvcrvUSD as collateral.
?Security Alert
On June 26, 2025, the @ResupplyFi experienced a security breach, resulting in a loss of approximately $9.3 million.The attack was made possible by inflating the share token price of an empty crvUSD Vault through a donation attack, enabling the attacker to… pic.twitter.com/pU0g8riOLi
— OKX Explorer (@okxexplorer) June 26, 2025
Analysts at BlockSec added that the funds were withdrawn from the wstUSR market through a borrowing function.
? $9.5M lost in today’s attack… https://t.co/N1tcITVr6f
— BlockSec (@BlockSecTeam) June 26, 2025
Subsequently, the attacker exchanged the stolen reUSD for other assets on external platforms to secure profits.
Here are the latest whereabouts of the stolen $9.6M funds from @ResupplyFi pic.twitter.com/8HWYd3yqtT
— PeckShield Inc. (@peckshield) June 26, 2025
Earlier, on June 18, hackers breached the Iranian exchange Nobitex for $100 million and exposed the platform’s source code.
Later, the L2-protocol zkLend on the Starknet platform announced its closure due to a hack and the delisting of the LEND token from major exchanges.