Decentralised finance (DeFi) protocol ResupplyFi has suffered a devastating security breach, resulting in a loss of approximately $9.6 million. The exploit targeted the protocol’s wstUSR market and was executed through a sophisticated price manipulation strategy involving synthetic stablecoins.

Flaw in Contract Design Enables Price Exploit

According to blockchain security firm Cyvers, the attacker leveraged a vulnerability in the ResupplyPair contract. The flaw allowed them to artificially inflate the share price, enabling a large loan to be taken with minimal collateral. Meir Dolev, co-founder and CTO at Cyvers, stated, “By inflating the share price, they borrowed $10 million worth of reUSD using minimal collateral.”

Source: Cyvers

The attacker exploited the integration of ResupplyFi with a synthetic stablecoin called cvcrvUSD. They reportedly used Tornado Cash, a crypto mixer, to fund the exploit, adding a layer of anonymity. The stolen funds were then swapped to Ether (ETH) and distributed across two wallet addresses.

Immediate Response from ResupplyFi

In the aftermath of the attack, ResupplyFi paused all contracts linked to the affected wstUSR market in an effort to contain the damage. The team acknowledged the breach in a public statement and assured users that only one specific market was compromised.

“A full post-mortem will be shared as soon as a complete analysis of the situation has been conducted,” the company said, adding that no other components of the protocol appeared to be impacted.

Experts Urge Better Security Practices in DeFi

The incident once again highlights ongoing vulnerabilities in DeFi protocols, especially those reliant on synthetic assets and price oracles. Security experts, including Dolev, have stressed the importance of integrating comprehensive validation mechanisms and anomaly detection systems in smart contracts.

“Proper input validation, oracle checks and edge-case testing could have prevented this attack,” Dolev added. He also recommended implementing sanity checks in lending logic and monitoring for real-time irregularities as additional preventive measures.

Crypto Hack Losses Soar in 2025

The ResupplyFi exploit is the latest in a growing trend of high-profile crypto hacks. According to CertiK, a leading blockchain security firm, losses from hacks and exploits have already surpassed $2.1 billion in 2025 alone. The firm noted that hackers are increasingly relying on social engineering and insider threats, shifting away from purely technical attacks.

Source: ResupplyFi

In a related development, smart contract platform Fuzzland disclosed that a former employee was behind a $2 million exploit involving Bedrock UniBTC in 2024. The insider used a combination of social engineering, supply chain attacks, and advanced persistent threat (APT) techniques to gain access to sensitive systems.

Growing Concerns Over DeFi Security

This latest breach serves as a stark reminder of the security challenges still plaguing the DeFi sector. As protocols continue to experiment with complex financial instruments like synthetic stablecoins and oracle-based pricing, the risk of sophisticated attacks increases.

Industry experts and developers alike are calling for enhanced security frameworks, rigorous code audits, and more transparent post-incident reporting. Until such practices become standard, users and protocols will remain exposed to costly vulnerabilities.