Resupply Hack

On June 26, 2025, just 1.5 hours after DAO-approved deployment of a new wstUSR market, Resupply—a CDP-backed stablecoin sub-DAO under Convex and Yearn Finance—lost $9.6M in a donation attack exploiting an empty ERC-4626 vault’s price-per-share vulnerability in the ResupplyPair contract (0x6e…6bd6). Funded via Tornado Cash, the attacker flash-loaned $4K USDC from Morpho, converted to crvUSD, donated 2K crvUSD to inflate the vault’s share price, then deposited 2 crvUSD to mint 1 wei of cvcrvUSD shares—overvalued as collateral due to unchecked balanceOf calculations—borrowing 10M reUSD, swapping to scrvUSD/crvUSD, and withdrawing in WETH for $9.6M profit (split: $2M ETH, $3.6M USDC) via Curve/Uniswap. Cyvers flagged the oracle/exchange rate manipulation causing floor-division to zero, bypassing solvency checks; Resupply paused the wstUSR market and insurance withdrawals, with TVL dropping from $135M to $107M and RSUP token crashing. Recovery: Treasury covered $2.86M reUSD; DAO proposed burning 6M reUSD (15.5% of insurance pool) for $6M, with $1.13M repaid via fees/RSUP sales; a developer donated $1.4M personally; full $10M bad debt cleared by August using insurance/Convex/Yearn support. This early-deployment flaw—flagged in ERC-4626 designs but overlooked despite audits—highlights donation risks in empty vaults, urging virtual shares/offset mechanisms, pre-deployment equilibrium simulations, and robust access controls to shield DeFi from such $9.6M manipulations amid 2025’s $2.3B+ hacks.