Another decentralized finance (DeFi) protocol has fallen victim to an exchange rate-related vulnerability, allowing an exploiter to steal around $9.6 million worth of crypto assets.
This time, it was Resupply's turn, as the stablecoin protocol that presents itself as decentralized and is used by popular DeFi protocols "experienced an exploit" in its resolv wstUSR (WSTUR) token market on Thursday. The affected smart contract was paused, while the protocol itself is said to be functioning "as intended."
At the time of writing, the team still hasn't published a more detailed report on the incident. However, multiple blockchain security firms, such as BlockSec Phalcon, CertiK, and Cyvers, point to the exchange rate-related vulnerability that the attacker exploited.
"Yet another lending protocol exploited via exchange rate manipulation on low-liquidity – even empty – markets!" BlockSec Phalcon said.
The vulnerability allowed the criminal to manipulate token prices and, technically, "borrow" a large sum of the resupply USD (reUSD) stablecoin by using a very small amount of crypto as collateral and bypassing the insolvency check. Resupply allows users to lend crvUSD or frxUSD stablecoins through DeFi protocols while borrowing reUSD stablecoins using those lending positions as collateral.
"Stolen funds were swapped to $ETH and split across two addresses," Cyvers said.
Following the attack, which was reportedly funded via the Tornado Cash mixer, the price of the reUSD stablecoin fluctuated but is now at the same level as it was a day ago. On two occasions in recent months, the token dropped even more than during this incident.
According to Resupply's website, a total of 68 million reUSD ($67 million) is borrowed on the platform.
Meanwhile, in related news, zkLend, a money market and lending protocol that was hacked for more than $9 million in February 2025, announced that it's winding down its operations and will be using the remainder of its treasury, worth $200,000, to support affected users.
Your email address will not be published. Required fields are markedmarked