A flaw in ResupplyFi’s contract allowed an attacker to manipulate token prices and drain $9.6 million from its wstUSR market.
Decentralized finance (DeFi) protocol Resupply confirmed a security breach in its wstUSR market, which led to about $9.6 million in crypto losses.
Blockchain security firm Cyvers said on Thursday that the exploit was triggered by a price manipulation attack involving the protocol’s integration with a synthetic stablecoin called cvcrvUSD.
Meir Dolev, Cyvers’ co-founder and chief technology officer, told Cointelegraph that the attacker exploited a price manipulation bug in the ResupplyPair contract. “By inflating the share price, they borrowed $10 million reUSD using minimal collateral,” Dolev said.
Cyvers said in the post that the attacker was funded through Tornado Cash, and the stolen funds were swapped to Ether ETH$2,448 and split across two addresses.
Resupply pauses affected contracts in response to the attack
The incident highlights ongoing security concerns in DeFi protocols, particularly those involving synthetic assets and oracle-dependent mechanisms.
Dolev told Cointelegraph that several security measures might have prevented the attack, including proper input validation, oracle checks and edge-case testing.
When asked how protocols can avoid similar hacks, the security expert said that adding sanity checks in the lending logic and monitoring real-time anomalies could help.
In response to the exploit, Resupply issued a statement acknowledging the incident. The company confirmed that only its wstUSR market was affected. The DeFi protocol said the impacted contracts had already been paused to prevent further damage.
“A full post-mortem will be shared as soon as a complete analysis of the situation has been conducted,” the team wrote.
Crypto hack losses reached $2.1 billion in 2025
The price manipulation exploit on Resupply comes as hack losses reached billions this year.
On June 4, crypto security firm CertiK said over $2.1 billion had already been stolen through hacks and exploits in 2025. CertiK also said hackers have started to shift tactics to social engineering.
Meanwhile, smart contract platform Fuzzland recently revealed that a former employee was responsible for a $2 million Bedrock UniBTC exploit in 2024.
The platform said the insider used social engineering tactics, supply chain attacks and advanced persistent threat techniques to steal sensitive data used in the exploit.
Source: https://cointelegraph.com/
 
					
 
			 
			 
			