Another DeFi protocol has been hacked! The DeFi protocol ResupplyFi, which focuses on decentralized lending and stablecoin services, confirmed earlier today via the X platform that its wstUSR market suffered a major security vulnerability attack, resulting in a loss of approximately $9.6 million in crypto assets.
The wstUSR market of ResupplyFi has encountered a vulnerability attack. The affected smart contract has been identified and suspended. Only the wstUSR market was impacted, with other parts of the protocol still functioning as designed. We will share a comprehensive post-mortem analysis report as soon as possible after completing a thorough investigation.
Hacker Attack Details and Vulnerability Source
According to a report by Cointelegraph, security firms pointed out that hackers exploited a price manipulation vulnerability in the ResupplyPair smart contract, specifically targeting the protocol's integration with the synthetic stablecoin cvcrvUSD. The attacker manipulated the cvcrvUSD price by "donating" to a low-liquidity market or using a flash loan, and then borrowed approximately 10 million reUSD (Resupply's native stablecoin) with extremely low collateral. These borrowed reUSDs were quickly converted into other crypto assets, including ETH and USDC, causing a net loss of about $9.6 million.
The root cause of the vulnerability lies in the Resupply protocol using an empty ERC4626 wrapper as a price oracle, leading to severe flaws in the price logic. This design flaw allowed hackers to manipulate exchange rates at a very low cost, easily plundering massive funds. Cyvers noted that the hacker's initial funds were provided through the crypto mixer Tornado Cash, further obscuring the fund source and increasing tracking difficulty.
Currently, the stolen funds have been converted to approximately $2 million in ETH, $3.6 million in USDC, and other crypto assets, and distributed across two anonymous wallet addresses.
ResupplyFi USD Depegging
As a result, ResupplyFi USD (reUSD) depegged to a low of $0.96902 today, and at the time of writing, it is temporarily reported at $0.9906, with a market cap of around $82.45 million.
What is ResupplyFi?
ResupplyFi is a decentralized finance (DeFi) protocol focused on providing decentralized lending and stablecoin trading services. Its core functions include: ResupplyFi allows users to conduct decentralized lending through smart contracts, collateralize assets to generate stablecoins (such as reUSD), and provide liquidity mining functions. One of its primary markets is the wstUSR market, involving integration with synthetic stablecoins like cvcrvUSD.
This incident once again sounds the alarm on the security of DeFi protocols. Experts recommend that DeFi projects should strengthen input validation of smart contracts, improve price oracle design, and conduct stress tests under extreme conditions to prevent similar price manipulation attacks. Additionally, adopting multiple oracles or decentralized data sources can effectively reduce risks.
