DeFi Protocol Resupply Loses $9.6M in Zero Exchange Rate Vulnerability Exploit

A hacker siphoned nearly $9.6 million from decentralized stablecoin protocol Resupply by exploiting a critical vulnerability identified as a “zero exchange rate” bug in its exchange rate calculation system tied to the cvcrvUSD token.

The attacker exploited Resupply’s low-liquidity market by artificially inflating the price of cvcrvUSD through targeted “donations,” enabling them to trigger the bug. This manipulation allowed the attacker to borrow nearly $10 million worth of reUSD tokens against a nominal collateral of just one wei, according to blockchain security research firm Phalcon.

The theft, investigated by firms including Secur.Reputation and PeckShield, highlights persistent risks in DeFi protocols despite growing security awareness. Attackers syndicated funds through anonymity tool Tornado Cash before converting the stolen assets into USDC and wrapped ETH, yielding approximately $1,581 ETH ($9.6M).

Resupply has “paused the impacted wstUSR market,” assuring normal operations elsewhere and promising a full post-mortem analysis. Security expert Hakan Unal of Cyvers described the exploit as enabling the attacker to “borrow a ton of money for almost nothing,” bypassing solvency checks because the exchange rate calculation outputted zero.

Key Details

• Exploit Value: $9.6M (~1581 ETH)
• Vulnerability: Zero Exchange Rate Bug
• Mechanism: cvcrvUSD price manipulation
• Mounting Point: Transaction via Cow Swap
• Post-Exploit: Funds laundered via Tornado Cash

This incident continues a trend of significant DeFi breaches exceeding $2 billion globally this year.

Resupply advised users: “Users should avoid reUSD vaults and withdraw funds if possible.”