qerranews 
Price Manipulation Drains $9.6M
In a major blow to decentralized finance (DeFi) security, stablecoin protocol ResupplyFi has confirmed a $9.6 million exploit in its wstUSR market. The attack was the result of a sophisticated price manipulation exploit that leveraged vulnerabilities in Resupply’s smart contract infrastructure—specifically its interaction with the synthetic stablecoin cvcrvUSD.
The attacker used minimal collateral to inflate the share price within Resupply’s lending pool, enabling a disproportionate loan of $10 million reUSD. The exploit was first detected and disclosed by blockchain security firm Cyvers, who traced the funds and confirmed the involvement of Tornado Cash, a notorious crypto mixer used to anonymize transactions.
This exploit once again underscores the persistent fragility in DeFi protocols, especially those dealing with synthetic assets and poorly validated oracle inputs.
Vulnerability in Lending Logic
According to Meir Dolev, co-founder and CTO at Cyvers, the root cause of the exploit was a flaw in the ResupplyPair contract.
“By inflating the share price, the attacker borrowed $10 million reUSD using minimal collateral,”
Dolev told Cointelegraph.
The hacker manipulated the price feed and created an artificial imbalance, allowing them to drain the protocol without meeting the expected collateral requirements. Once the funds were extracted, they were quickly converted into Ether (ETH) and dispersed across two wallets.
This kind of exploit is indicative of a common vulnerability in DeFi systems: improper input validation combined with oracle dependencies. These weaknesses can allow attackers to arbitrage or trick the smart contract into assuming incorrect asset values.
In response, ResupplyFi promptly paused affected contracts, stating that only the wstUSR market had been impacted. The team also pledged to release a full post-mortem report after a complete analysis of the exploit.
Security Gaps in Synthetic Assets
This incident again brings to light the inherent risks associated with synthetic assets and oracle-driven price mechanisms in DeFi. Synthetic assets are designed to track the value of real-world or on-chain assets, but they rely heavily on accurate price feeds from oracles. A single bad data point or unchecked manipulation can be catastrophic.
Dolev emphasized that the attack might have been preventable with additional security checks. “Protocols should include sanity checks within lending logic and monitor for real-time anomalies,” he explained.
He also pointed out that edge-case testing, proper oracle validation, and input data integrity are crucial in preventing such exploits. These preventative strategies should become standard practice, especially as DeFi protocols increasingly handle large sums and complex instruments.
This isn’t the first time synthetic assets have been the weak link in a DeFi exploit. Oracle manipulation has been one of the top three attack vectors in DeFi since 2020, and with the growing usage of synthetic stablecoins, this trend shows no sign of stopping.
Crypto Hacks Top $2.1B in 2025
The ResupplyFi exploit adds to what is already shaping up to be one of the most damaging years for DeFi in terms of security breaches. According to a June 2025 report by blockchain security firm CertiK, more than $2.1 billion in crypto assets have been stolen so far this year.
While technical vulnerabilities like the Resupply exploit remain prevalent, CertiK notes a sharp increase in social engineering attacks, where insiders or attackers use deception to gain access to critical systems.
A recent case from 2024 further illustrates this shift. Smart contract platform Fuzzland disclosed that a former employee used advanced persistent threats and supply chain attacks to exploit Bedrock UniBTC for $2 million. Unlike traditional hacks, these attacks combine both human manipulation and technical exploits.
This dual threat—technical flaws like Resupply’s and human-driven attacks—represents the new security frontier in decentralized finance. It’s no longer enough to just audit smart contracts; teams must also monitor contributor access, oracle feeds, and any off-chain dependencies.
What’s Next for ResupplyFi?
ResupplyFi has issued a statement acknowledging the incident and assuring its community that affected contracts were promptly paused. While only the wstUSR market was affected, the psychological impact on the community and investor trust could be long-lasting.
No recovery plan or refund mechanism has been announced yet. The protocol has promised a complete post-mortem after a thorough investigation, which may take weeks. In the meantime, developers and security professionals across the DeFi space are watching closely.
The incident will likely push more protocols to adopt stricter risk controls, multi-sig admin functions, real-time anomaly detection systems, and smarter oracle aggregation strategies. As the ecosystem matures, proactive security measures—not just reactive audits—will be critical to maintaining credibility and financial stability.
Conclusion
The ResupplyFi exploit highlights the ever-present risks in the fast-moving DeFi space. A combination of smart contract vulnerabilities, synthetic asset complexity, and flawed price feeds allowed a single attacker to drain nearly $10 million—undermining months of community trust and protocol growth.
As DeFi expands, so must its security frameworks. From automated price sanity checks to robust oracle networks and human oversight, layered protection is now a necessity—not an option.
With over $2.1 billion already lost in 2025 alone, it’s clear that protocols need to rethink both their technical and operational security strategies if DeFi is to achieve mainstream adoption.