Resupply protocol confirmed a loss of approximately $9.5 million due to price manipulation in its wstUSR market. The incident was announced on June 25.
Overview of the Incident
The security platform BlockSec Phalcon first flagged an unusual transaction on June 25, leading to substantial losses for the Resupply protocol. The Resupply team confirmed that the affected smart contract had been paused, and the incident only impacted their wstUSR market. The team is currently conducting a thorough analysis of the event.
Methods of Attack
Preliminary analysis indicates that the attack was a classic case of price manipulation within a low-liquidity market. The attacker manipulated the price of cvcrvUSD by artificially inflating its value through small donations. This price spike rendered the system vulnerable, allowing the attacker to borrow $10 million in reUSD using just one wei of cvcrvUSD as collateral.
Trends in Price Manipulation
This incident adds to a growing trend of price manipulation attacks in 2025. Similar vulnerabilities have been observed in other protocols, such as Meta Pool and GMX/MIM Spell, which were compromised due to oracle vulnerabilities and low liquidity. Attacks utilizing weak pricing mechanisms continue to pose a threat to DeFi systems.
The incident with the Resupply protocol highlights the importance of security in DeFi and the need for developers and audits to pay close attention to pricing mechanisms and liquidity within their systems.
