Decentralized Stablecoin Resupply Confirms Exploit in wstUSR Market

Resupply, a decentralized finance (DeFi) protocol, has confirmed an exploit in its wstUSR market. According to the project’s statement post on social media network X (formely Twitter), the affected smart contract has been identified and immediately paused. No other markets or protocol functions appear to have been impacted.

Blockchain security firm Cyvers first raised the alarm, reporting that the attacker exploited a vulnerability tied to the exchangeRate logic in a ResupplyPair contract. The attack was made possible through:

• Manipulation of the cvcrvUSD price, triggering a faulty condition in the Resupply protocol.
• A flaw in floor division math, which allowed the exchangeRate to hit zero.

The attacker then borrowed a massive amount of reUSD using just 1 wei (smallest possible fraction of Ethereum, about a billionth of a cent) of collateral — effectively exploiting the protocol’s collateral logic. The stolen funds were swapped to ETH and distributed across two wallets, with initial funding traced to Tornado Cash, a well-known Ethereum mixer often used to obscure transaction origins.

While Resupply hasn’t yet released full details nor confirmed exact loss figures, Cyvers estimates the total value siphoned at $9.6 million. The Resupply team has paused the vulnerable contract and assured users that core protocol operations remain secure.

The exploit points to ongoing risks in DeFi systems that rely on price feeds and automated math. If market prices are manipulated or tokens have low trading volume, it can lead to major vulnerabilities — especially when smart contracts don’t handle edge cases correctly.