Stablecoin platform Resupply suffered a significant exploit value $9.5 million after an attacker manipulated the value of a key collateral token, safety companies reported.
Key Takeaways:
- Resupply misplaced $9.5 million after an attacker manipulated the value of cvcrvUSD to borrow reUSD cheaply.
- The exploit exploited defective value logic within the CurveLend contract utilized by ResupplyPair.
- Resupply paused the affected contract and is investigating the breach, with a full autopsy pending.
The assault focused cvcrvUSD, a wrapped model of Curve USD (crvUSD) staked on Convex Finance. By sending donations to the cvcrvUSD vault, the attacker inflated the token’s share value.
This inflated value was then used as collateral to borrow Resupply’s native stablecoin, reUSD, at a extremely favorable alternate fee.
Resupply Exploit Linked to Manipulated Value Feed in CurveLend Contract
The Resupply sensible contract concerned, ResupplyPair (CurveLend: crvUSD/wstUSR), used the manipulated cvcrvUSD value in its calculations.
As soon as the attacker borrowed the reUSD, the manipulated alternate fee collapsed, triggering a significant devaluation of the protocol’s reserves.
Analysts at Blocksec famous that the attacker primarily drained funds from the wstUSR market by exploiting the flawed value logic within the borrowing operate.
The stolen reUSD was then swiftly transformed into different crypto property on exterior markets.
“Because of this, the attacker borrowed huge reUSD with simply 1 wei of cvcrvUSD as collateral, bypassing the insolvency examine,” Blocksec wrote on X.
Resupply acknowledged the breach in a press release and confirmed that the compromised contract has been paused. The workforce is investigating the incident and has not but confirmed any restoration plans.
“A full autopsy can be shared as quickly as a whole evaluation of the state of affairs has been carried out,” the workforce wrote.
Resupply is not going to publish any hyperlinks after this tweet. Hyperlinks beneath this tweet that appear like Resupply are spam, pretend or phishing hyperlinks. Don’t click on any hyperlink beneath this tweet. pic.twitter.com/FExOvng40U
— Resupply (@ResupplyFi) June 26, 2025
Fuzzland Reveals $2M Insider Exploit on Bedrock’s UniBTC Protocol
On Wednesday, Fuzzland disclosed {that a} $2 million exploit concentrating on Bedrock’s UniBTC protocol in September 2024 was carried out by a former worker posing as an MEV developer.
The attacker used social engineering, inserted malware through a trojanized Rust crate, and maintained undetected entry to engineering programs for over three weeks.
The breach culminated within the UniBTC protocol being exploited shortly after Fuzzland mentioned a safety vulnerability.
Notably, within the first three months of 2025, the crypto ecosystem misplaced a whopping $1,635,933,800 throughout 39 incidents, in accordance with the blockchain safety platform Immunefi.
Most of that was the results of solely two hacks of two centralized exchanges. Phemex suffered a $69.1 million loss in January, whereas Bybit misplaced $1.46 billion in February.
Subsequently, the entire variety of losses within the first quarter marks a 4.7x improve in comparison with Q1 2024. At the moment, hackers and fraudsters stole $348,251,217.
Notably, consultants assume that the notorious North Korean Lazarus Group is behind the 2 largest assaults. They stole $1.52 billion, or 94% of whole losses.
The publish Stablecoin Protocol Resupply Exploited for $9.5M After Attacker Inflates Token Value appeared first on Cryptonews.