Resupply, a DeFi stablecoin protocol, suffered a major exploit in June 2025 that resulted in the loss of $9.5 million. The attack exposed a vulnerability in its pricing mechanism, causing confidence in the protocol and its native assets to plummet. The incident highlights ongoing security challenges in decentralized finance.
How did the Resupply exploit happen?
The attack targeted Resupply's smart contract, specifically the ResupplyPair module. The exploit manipulated the exchange rate of a wrapped token—cvcrvUSD—by artificially inflating its price through a well-placed donation. This distorted the collateral value used to borrow reUSD, allowing the attacker to drain millions using minimal collateral.
What was affected in the Resupply protocol?
Only the wstUSR market was directly impacted, according to Resupply. The team quickly paused the affected contracts to contain damage. However, the exploit led to a major drop in investor deposits and tanked the RSUP governance token price, showing the broader effects of protocol-level breaches.
What is Resupply's recovery plan?
Resupply announced a token burn of 6 million reUSD from its insurance pool to offset bad debt. The rest of the debt will be repaid through future fees and other revenue. This move mirrors damage-control tactics seen across DeFi but raises concerns about long-term solvency.
What are the broader DeFi security implications?
The Resupply exploit is one in a series of similar DeFi incidents, following the collapse of zklend and Conic. Security analysts flagged the absence of proper oracle validation and input checks as the root cause—yet another case of speed over safety in the race to innovate in DeFi.
Conclusion
Resupply's $9.5M exploit underscores the fragility of poorly protected DeFi protocols. While the recovery plan is underway, trust is shaken. As more exploits make headlines, investors and builders alike are reminded: smart contract security is no longer optional—it's existential.
