Decentralized stablecoin protocol Resupply has suffered a $9.5 million loss after an attacker manipulated token prices to distort exchange rates and drain funds.
The exploit was first identified on June 25 by security platform BlockSec Phalcon, which flagged a suspicious transaction tied to the theft. Resupply confirmed the incident on X, stating that the compromised smart contract—limited to its wstUSR market—has been paused. The team assured that its core protocol remains unaffected and a detailed post-mortem is underway.
Initial analysis by security researchers suggests the attacker exploited low liquidity to manipulate prices. The target was cvcrvUSD, a wrapped version of Curve DAO’s crvUSD token staked through Convex Finance. By sending small donations, the attacker artificially boosted the token’s share price. Since Resupply’s exchange rate formula relied on this inflated price, the system was left exposed.
A full technical report is expected once the investigation concludes.
