The DeFi space just suffered another major blow. A hacker exploited a rare vulnerability in Resupply, draining the protocol of $9.6 million in a matter of minutes.
👉 Resupply is a decentralized lending platform that allows users to mint and borrow its native stablecoin, reUSD, by depositing yield-bearing assets like wstETH, wstYFI, and others — integrating with protocols such as Yearn and Convex.
🕵️♂️ 💥 How the Hack Worked?:
🪙 The hacker first deposited just 1 wei (the tiniest amount) of collateral (wstUSR) into the protocol.
🧪 Next, they made small “donations” to a low-liquidity pool, manipulating the price of the synthetic stablecoin called cvcrvUSD to drop sharply.
🧮 This caused the Resupply smart contract’s exchange rate for the collateral to fall to zero.
🚪 Because the contract lacked proper validation, it allowed borrowing against collateral valued at zero.
💸 Using this flaw, the hacker borrowed nearly $9.6 million in reUSD against their negligible collateral.
🔄 The stolen stablecoins were immediately swapped into USDC and wrapped ETH (wETH).
🌀 The funds were laundered through Tornado Cash and split across multiple wallets to obscure the trail.
🐞 What’s a Zero-Exchange-Rate Bug?
A zero-exchange-rate bug occurs when a smart contract miscalculates a token’s value as zero, often due to manipulated price feeds or insufficient validation.
❓ If the collateral has zero value, how did the smart contract allow borrowing?
Normally, the smart contract should have rejected the loan because borrowing against worthless collateral is unsafe. However, due to missing or faulty validation, the system:
■Did not properly check that the collateral value was greater than zero,
■Failed to enforce minimum collateral requirements or sanity checks on the exchange rate,
■And thus processed the borrow request despite the collateral being essentially worthless.
This logic flaw allowed the hacker to drain millions with almost no collateral.
🛠️ Resupply’s Response:
⏸️ Immediately paused the wstUSR market to contain the breach.
✅ Confirmed that all other protocol markets remain secure and operational.
📋 Launched a full post-mortem investigation to identify the root cause and patch vulnerabilities.
⚠️ Why This Matters?:
📉 Adds $9.6M to over $2.1 billion lost in DeFi exploits in 2025 so far, according to the crypto security firm CertiK
🧱 Highlights the risks of relying on low-liquidity price oracles and edge-case vulnerabilities.
🧬 Even small, obscure bugs can result in devastating financial losses.
🧯 Expert Takeaways:
Security specialists recommend:
🔍 Implementing oracle sanity checks to prevent artificial price distortions.
🧪 Running edge-case simulations during testing.
🚨 Using real-time anomaly detection for unusual transactions.
🧰 Building fail-safe triggers in smart contracts for emergency response.
👉 Lesson: In DeFi, even the tiniest bug can be worth millions. Audits, testing, and fail-safes aren’t optional — they’re survival.