DeFi stablecoin lending protocol Resupply hit with $9.3m exploit

DeFi stablecoin lending protocol Resupply hit with $9.3m exploit
DeFi
Illustration: Gwen P; Source: Shutterstock
By
Z. Rampone, O. Avan-Nomayo
26 June 2025 at 16:39
  • Resupply was recently exploited.
  • The hacker stole $9.3 million.
  • Adds to the growing list of crypto exploits and hacks this year.

Resupply, a stablecoin lending protocol, is reeling from an exploit that resulted in the loss of $9.3 million.

Investor deposits on the protocol have dropped to $85 million from $135 million before the incident, according to data from DefiLlama, and the market value of its RSUP token has fallen to $7 million.

Investor deposits in Resupply. Measured astotal value locked, or TVL for short. Source: DefiLlama

The attacker, funded through privacy protocol Tornado Cash, was able to target a bug in the system that allowed them to extract millions from a deposit of about $200,000.

“The attacker exploited a price manipulation bug in the Resupply pair contract,” Meir Dolev, chief technology officer at Cyvers, a blockchain security firm, told DL News.

Pair contracts control how liquidity pools for token pairs on DeFi protocols work. Dolev said the attacker got a huge loan, about $10 million, for very little collateral by exploiting the vulnerability.

“The affected contract has been identified and paused. Only the wstUSR market was impacted and the protocol continues to function as intended,” Resupply said following the incident.

Exploits

2025 has been an especially tough year for crypto-related hacks and exploits. According to DeFiLlama, over $2 billion has been lost in 2025 alone, an increase of more than 50% from last year.

Funds lost to hacks and exploits in DeFi

Recent exploits such as zklend and Conic have been catastrophic, as the respective projects have since shut down.

Resupply allows users to lend their crvUSD stablecoins into Curve vaults to earn yield.

“There is no single person from Curve working on that project. It’s a sad incident because they helped crvUSD to grow a little bit,” Curve founder Michael Egorov said about Resupply’s relationship with Curve.

While only its insurance pool got hit in the exploit and there are millions in funds within the protocol, the exploit causes some to question the overall security of the protocol.

“This exploit could have been prevented with proper input validation, oracle checks, and edge-case testing,” Dolev said.

So far, the team has only just acknowledged the situation, stating that it will be releasing a full post-mortem on the situation once a complete analysis has been conducted.

Zachary Rampone is a DeFi correspondent at DL News. Have a tip? Contact him at zrampone@dlnews.com

Related Topics
CRYPTO LENDINGSTABLECOINHACKS AND EXPLOITS