Security Breach on Resupply Platform
A significant security breach on the stablecoin platform Resupply resulted in a loss of $9.5 million, according to reports from various security firms. This incident was orchestrated by an attacker who exploited vulnerabilities concerning the cvcrvUSD token, a wrapped variant of Curve USD (crvUSD) typically utilized on Convex Finance.
By making seemingly harmless donations to the cvcrvUSD vault, the perpetrator artificially inflated the token’s market price, which was then leveraged to exchange for Resupply’s native stablecoin, reUSD, at an advantageous rate.
Details of the Exploit
The root of the exploit can be traced back to the ResupplyPair contract associated with the CurveLend platform, which erroneously relied on the inflated price of cvcrvUSD in its calculations. Once the malicious actor acquired the reUSD by taking advantage of the skewed exchange rate, the manipulated pricing collapsed, leading to a severe devaluation of the reserves held by the platform.
Blocksec analysts have reported that the attacker primarily targeted the wstUSR market, employing the faulty price dynamics present within the borrowing functionality to drain funds effectively. Significantly, the exploit allowed the attacker to borrow an enormous amount of reUSD using merely 1 wei of cvcrvUSD as collateral, circumventing the platform’s insolvency checks.
Resupply’s Response
Resupply responded to the breach by confirming the incident and announcing a pause on the affected contract. The team has initiated an investigation but has yet to disclose any plans for asset recovery. A comprehensive analysis of the situation is underway, with a detailed report promised for future release.
Related Incidents and Trends
In a related incident, Fuzzland reported a separate $2 million exploit from September 2024 that targeted the UniBTC protocol developed by Bedrock. This exploit was perpetrated by a former employee masquerading as an MEV developer, who utilized social engineering tactics to gain access to the protocol, including deploying malware through a compromised Rust library. This breach occurred shortly after Fuzzland had alerted users about potential security vulnerabilities.
Moreover, a concerning trend has emerged within the crypto landscape, as 2025 experienced a staggering loss of over $1.6 billion across 39 hacking incidents, as recorded by Immunefi, a blockchain security monitoring service. A significant portion of these losses stemmed from a few catastrophic hacks at centralized exchanges: Phemex reported a $69.1 million loss in January, while Bybit faced a calamitous $1.46 billion loss in February.
This surge in losses represents a 4.7-fold increase compared to the same period the previous year, when hackers siphoned off roughly $348 million. Experts suspect that the notorious Lazarus Group from North Korea is linked to the two major attacks, having been implicated in stealing approximately $1.52 billion, accounting for nearly all the losses reported.
