Decentralized protocol Resupply has been the victim of an attack that allowed an attacker to withdraw $9.6 million through exchange rate manipulation. The incident that hit the wstUSR token market confirms that DeFi remains vulnerable to attacks in low-liquidity pools.
On Thursday, it became known that the wstUSR smart contract was compromised by bypassing collateral verification mechanisms – the attacker “borrowed” a large amount of reUSD using meager collateral. As CertiK, Cyvers and BlockSec Phalcon discovered, the vulnerability was related to exchange rate manipulation in a market with low liquidity. The criminal funds were converted to ETH and distributed to two addresses.
> “Another landing protocol compromised through exchange rate manipulation in a market with zero liquidity,” BlockSec commented.
The attack was funded via Tornado Cash, and the price of reUSD temporarily shook. However, the rate quickly stabilized. The total amount of active loans in reUSD, according to the Resupply website, is \$67 million.
Resupply is a DeFi protocol that allows you to borrow reUSD against stablecoins such as crvUSD and frxUSD. In this case, users receive reUSD for reuse in decentralized finance. The attack was the latest in a chain of similar hacks – earlier this year, another platform, zkLend, lost more than $9 million, which is now closing down and plans to compensate users with $200,000 from the treasury balances.
The attack on Resupply highlights a systemic problem with DeFi – low-liquidity markets remain a weak point for most decentralized protocols. Even if the mechanism looks secure, attackers can use the lack of market depth to carry out large-scale exploitation. Teams need to focus not only on code security, but also on economic attacks, which are increasingly becoming decisive.
