Resupply is a DeFi protocol that promised to redefine stablecoin capital efficiency. But in late June 2025. it faced a serious exploit, shaking confidence and forcing a rapid crisis response. Here's what Resupply was designed to do—and how it's planning to recover.
What is Resupply and how does it work?
Resupply is a decentralized stablecoin protocol enabling users to borrow its native reUSD stablecoin using interest-bearing stablecoin deposits as collateral. Instead of locking up idle assets, users could deposit stablecoins earning yield in protocols like Curve Lend and borrow against them—keeping the yield while unlocking liquidity.
The system uses Collateralized Debt Positions (CDPs) and integrates directly with external lending markets. It operates as a subDAO built with support from DeFi heavyweights like Convex and Yearn, issuing reUSD backed by yield-generating collateral. It officially launched in March 2025 and underwent peer-reviewed audits prior to release.
How did the Resupply exploit happen?
On June 26. 2025. Resupply suffered an exploit that drained roughly $9.5 to $10 million in reUSD. The attacker targeted a vulnerability involving price manipulation in the cvcrvUSD token (a staked version of Curve USD in Convex).
By spoofing price increases through manipulated transactions or “donations,” the attacker inflated cvcrvUSD's perceived value. This skewed price was used by the ResupplyPair contract to allow the attacker to borrow nearly 10 million reUSD with almost no real collateral—just one wei of manipulated cvcrvUSD.
What actions did the attacker take and how did the protocol respond?
The attacker quickly converted the stolen reUSD to other tokens and routed funds through Tornado Cash, fragmenting and obfuscating the trail. In response, Resupply:
Paused the compromised contracts
Temporarily locked assets in its insurance pool
Published a transparent post-mortem detailing the exploit
What is Resupply's recovery plan for the lost reUSD?
The protocol laid out a structured, multi-step recovery plan:
2.86 million reUSD has already been repaid by the Resupply and Convex treasuries
6 million reUSD is set to be burned from the insurance pool
The final 1.13 million reUSD will be repaid over time via DAO revenue sources like protocol fees or RSUP token sales
Resupply is also launching a retention program for affected users, offering RSUP incentives to those who choose to remain in the insurance pool.
Is Resupply still operational and trustworthy?
While trust has been dented, Resupply's fast response, detailed communication, and early repayments indicate commitment to user recovery. The protocol remains under active governance with recovery measures in place, and its team continues to monitor the movement of stolen funds.
Conclusion:
The exploit exposed weaknesses in DeFi's reliance on external price feeds and integrated protocols. However, Resupply's proactive recovery plan and transparent handling of the incident show resilience. If the community and governance execute the roadmap successfully, Resupply may still fulfill its vision of yield-optimized stablecoin borrowing.
