The decentralized finance, or DeFi, protocol Resupply has confirmed a security breach in its specific wstUSR market. The significant security breach has led to approximately $9.6 million in total cryptocurrency losses for the protocol. A blockchain security firm said on Thursday that the exploit was triggered by a sophisticated price manipulation attack. This attack involved the protocol’s integration with a synthetic stablecoin that is called cvcrvUSD by all of the users. The security incident highlights ongoing serious security concerns in many different decentralized finance protocols currently operating. These concerns are particularly relevant for those involving synthetic assets and also oracle-dependent transaction validation mechanisms.
Meir Dolev, who is Cyvers’ co-founder and chief technology officer, told Cointelegraph about the security incident. The attacker exploited a price manipulation bug that was found in the protocol’s ResupplyPair smart contract. By successfully inflating the share price of the asset, they were able to borrow ten million dollars in reUSD. This was all accomplished by using only a very minimal amount of their own collateral to secure the loan. The security firm Cyvers also said in its post that the attacker was funded through the Tornado Cash mixer. The stolen funds were then quickly swapped to Ether and split across two separate destination wallet addresses.
In its official response to the exploit, the Resupply team has issued a statement acknowledging the security incident.
The company also confirmed that only its wstUSR market was affected by this particular price manipulation attack. The DeFi protocol said the impacted contracts had already been paused in order to prevent any further damage. A full post-mortem will be shared as soon as a complete analysis of the situation has been conducted. The security expert said that several different security measures might have prevented the attack from ever succeeding. These measures include proper input validation, oracle checks, adding sanity checks, and also some real-time anomaly monitoring.
The price manipulation exploit on the Resupply protocol comes as hack losses have reached billions of dollars this year. On June 4, the crypto security firm CertiK said over $2.1 billion had already been stolen. This amount was stolen through many different hacks and exploits that have occurred throughout the calendar year of 2025. The security firm CertiK also said that many different hackers have started to shift their tactics to social engineering. Meanwhile, Fuzzland recently revealed that a former employee was responsible for a two-million-dollar Bedrock UniBTC exploit. The insider used social engineering tactics and supply chain attacks to steal the sensitive data used in the exploit.
Reference: