Resupply, a decentralized stablecoin protocol tied to Convex Finance and Yearn.fi, has fallen victim to a security exploit, losing $9.5 million today. The attack, uncovered by blockchain security firm BlockSec Phalcon, exposed critical vulnerabilities in the platform’s system, spotlighting the ongoing security challenges within decentralized finance protocols.
Resupply Attacker Siphons $9.5M
The attacker exploited a flaw in Resupply’s smart contract, specifically the ResupplyPair contract, which used an empty ERC4626 wrapper as its price oracle. By donating just 2 crvUSD, the hacker inflated the share token price of an empty crvUSD vault, tricking the system into allowing a massive withdrawal. This manipulation enabled the attacker to borrow 10 million reUSD, resulting in a $9.5 million loss.
The attack, funded via Tornado Cash, occurred at 1:53 AM UTC and was executed in a single transaction, showcasing the speed and precision of modern crypto exploits. Blockchain analysts noted the vulnerability stemmed from poor oracle design, a common weak point in DeFi systems that hackers increasingly target.
Resupply’s team has not yet issued a public statement on the exploit as of press time, but insiders suggest they are working with security partners to investigate and recover funds. Blockchain security firms like Phalcon emphasized that real-time monitoring tools could have detected the attack in the mempool stage, potentially preventing the loss.
DeFi Exploits Surge
June 2025 has reportedly been a brutal month for crypto, with at least three other major hack incidents. For instance, a Solana-based protocol, Loopscale, lost $5.7 million in a lending vault exploit, and just yesterday, SiloFinance, a non-custodial lending protocol, suffered a sophisticated hack, resulting in a loss of approximately $545,000. Security platforms like PeckShield and CertiK detected the breach and called the protocol’s attention via X.
Additionally, a cunning New York scammer, Christian Nieves, known as Daytwo or PawsOnHips, swindled over $4 million from Coinbase users by posing as a customer support representative. Operating a small call center, he tricked victims into creating wallets on fake websites that were laced with malicious code, draining their cryptocurrency.
The Resupply hack is a stark reminder of DeFi’s high-stakes landscape, where innovation meets risk. Uniquely, whitehat hackers have emerged as unsung heroes in 2025, recovering funds in cases like Moby’s $1.5 million retrieval.
