Resupply Hack: How a donation attack led to $9.5m in Losses?
Explore how Resupply lost $9.5M in a donation attack due to a vault price manipulation. Know the flow, impact & how it could’ve been prevented.
Resupply is a stablecoin issuer; the stablecoin is backed by the Collateralized Debt Positions (CDPs), similar to how Sky Protocol works. It is a sub-DAO protocol of Convex and Yearn Finance.
The protocol was attacked with a donation attack on June 26, 2025, at 1:53 AM UTC. Notably, the attack occurred on a recently deployed pool of wstUSR by the protocol, which led to the loss of $9.5m to the protocol. The analysis covers the hack details, how it happened, the attack flow, and the funds lost.
Hack Analysis and Its Impact
The protocol, being completely decentralized and managed as a DAO, a proposal to deploy the crvUSD_wstUSR market got approved recently. As this market got deployed, only an hour and a half later, it got attacked. These markets follow ERC-4626 contracts.
Flow of Attack
The attacker took a flash loan of $4k USDC from Morpho and converted it to crvUSD.
Donation of 2k crvUSD to 0x89707 and minted 1 wei cvcrvUSD by depositing 2 crvUSD.
The attacker then used this 1 wei cvcrvUSD as collateral and borrowed around 10M $reUSD.
Then these assets are swapped with 9.33m scrvUSD through a swap from 10m reUSD. And the scrvUSD is converted to 9.81m crvUSD and then converted to WETH.
Timeline of the Attack
- Deployment of the wstUSR market at 12:18:47 AM UTC.
- The attacker's address got funded via Tornado Cash at 1:50:11 AM UTC
- The attacker exploited the market through a donation attack at 1:53:59 AM UTC, which is about 1.5 hours later from the market creation.
- The attacker split the assets into two accounts in the same attack transaction.
- The protocol set the borrow limit to 0 at 2:53:23 AM UTC.
Some Key Events
wstUSR market deployment as per the governance proposal: 0x852eca15a9fd352817346915f7bc8817d46de349bd7a8fc6ee73c7b66ec9ab41
Tornado Cash Funding: 0x1962eb353a37ca816a6d967279dfdb005a640fe3b22ccb9e00939fe5810d8fb5
Attack Transaction: 0xffbbd492e0605a8bb6d490c3cd879e87ff60862b0684160d08fd5711e7a872d3
reUSD depegged to $0.98 at 1:54 AM UTC
Source: DexScreener
Resupply TVL plummeted
Source: https://defillama.com/protocol/resupply
Setting the borrow limit to 0: 0x926ffae5506d261dde27910b8cfa0abae8d44eecfbb67a1c67a63c687bc30b3b
Root Cause Analysis
The contract calls the getPrices function in the ResupplyPairCore contract, which returns a huge value of 1 wei of cvcrvUSD collateral. The value it returned is 2,000,000,000,000,000,001,998,001,998,001,998, which is incorrect.
The reason for the wrong prices is the donation attack done by the attacker; the initial donation of 2k crvUSD inflated the prices of shares, which were minted later by depositing 2 crvUSD into the protocol. Extra assets in the pool increased the price per share, cvcrvUSD.
Don’t Let Donation Attacks Drain Your Protocol!
Don’t Let Donation Attacks Drain Your Protocol!
If you're building with ERC-4626 or similar vault strategies, now’s the time to tighten your security. Let QuillAudits help you fortify your contracts and avoid critical loopholes.
Now, if we do the math and divide 1e36 by the above number, we get to ~0.499, which rounds off to 0, and the function _updateExchangeRate returns the exchange rate as 0.
After this, the contract calls _isSolvent to do the solvency check based on the exchange rate, and since the exchange rate is 0, the LTV is 0, and it returns true, hence the user is solvent.
After a successful check of solvency, the protocol mints 10m reUSD tokens to the attacker contract, which was the borrow limit.
Relevant Addresses and Transactions
Victim Contract: 0x6e90c85a495d54c6d7e1f3400fef1f6e59f86bd6
Attack Txn: 0xffbbd492e0605a8bb6d490c3cd879e87ff60862b0684160d08fd5711e7a872d3
Attack Contract #1: 0x151aA63dbb7C605E7b0a173Ab7375e1450E79238
Attacker Contract #2: 0xf90dA523A7C19A0A3d8d4606242c46f1eE459dc7
Resupply Attacker #1: 0x6D9f6E900ac2CE6770Fd9f04f98B7B0fc355E2EA (Funded by Tornado Cash)
Attacker Address #2: 0x31129a5c13306A48E827e851D44E19Ca07d4928A (Funded by 0x6D9f6E900ac2CE6770Fd9f04f98B7B0fc355E2EA - Attacker Address #1) [Holds $5.51M]
Attacker Address #3: 0x886f786618623ffFB2be59830A47661Ae6492E16 (Funded by 0x151aA63dbb7C605E7b0a173Ab7375e1450E79238) [Holds $3.90M]
How the Hack Could Have Been Prevented?
The attack essentially occurred because the protocol used the balanceOf function to calculate the balance of the vault and did the accounting based on that, which is not bad if the protocol's vault has assets already; this is how the basic accounting works in ERC-4626. The problem usually occurs when the pool is empty, which was true in this case.
Empty pools are mostly the target of donation attacks, as the attacker donated certain assets and then minted shares against a small deposit. These donated funds increase the balance of the vault, which inflates the price of each share in the pool.
A good solution to this is using virtual shares/offset as explained in this article by Cyfrin. The vault essentially pretends that it already has some assets and shares from the very beginning, and acts as an offset that doesn’t let anyone manipulate the exchangeRate of the vault.
Conclusion
Resupply recently deployed the market of wstUSR through a governance vote, got attacked, and led to stolen assets worth $9.8m. The core reason behind the attack was a donation made by the attacker, which manipulated the exchange rate for the vault shares. The inflated price of shares helped the attacker to borrow 10m reUSD from the protocol.
We recently published guidelines for developers that should be kept in check while utilizing ERC-4626 for your project. Check it out here.
At QuillAudits, with our 7+ years of experience and 1M+ lines audited, we make sure your code is safe and prevent it from different vulnerabilities.
Contents
