The Altcoin Resupply protocol suffered a devastating attack on June 26, resulting in a loss of approximately $9.5 million due to price manipulation. The attacker artificially inflated the share price of wrapped cvcrvUSD staked in Convex Finance through donations. This inflation affected Resupply’s CurveLend: crvUSD/wstUSR contract, causing a disruption in the collateral ratio calculations. Consequently, the attacker was able to borrow 10 million reUSD with minimal cvcrvUSD collateral, subsequently exchanging the reUSD for other assets in external markets. Resupply’s team has paused the affected contract.
Price Manipulation Exploited a Vulnerability
According to a report by PeckShield, the attacker raised the cvcrvUSD’s share price by donating to its vault. When the price per share increased, it skewed the protocol’s lending formula in the attacker’s favor, creating an opportunity for uncollateralized lending contracts.
A single wei of cvcrvUSD, generally deemed worthless, was treated as substantial collateral thanks to the artificial inflation. Analysts highlighted that such vulnerabilities could arise in collateral models relying on liquidity pools if price feeds are not verified with reliable sources.
The collapse of the contract was primarily due to its reliance on a single oracle for price determination. Despite Resupply’s intentions to expand liquidity through its “lend” module, its price control layer was insufficient. Security experts suggest that incorporating diverse oracles and implementing cap controls could prevent such attacks.
Ongoing Impact of the Attack
The withdrawal of 10 million reUSD coins from the protocol post-attack led to temporary fluctuations in the Resupply market. The project team announced suspending affected contracts and pledged to unveil a compensation plan for affected users soon. Though the cvcrvUSD price reverted to its original level post-donations, the imbalance in debt and collateral caused permanent loss in lending portfolios.
PeckShield reported that during the incident, the attacker swiftly traded reUSD across various decentralized exchanges, complicating the tracking process. Analysts noted that retrieving reUSD would be challenging due to its issuance from a limited pool, although blockchain freezing scenarios are being considered to mitigate the damage.
