DeFi Shock: Attacker Drains $9.5M from Stablecoin Protocol via Token Price Manipulation

Another day, another DeFi exploit—this time with a $9.5M price tag. Here's how it went down.

Attack Vector: Inflate to Steal

The attacker artificially pumped a stablecoin's value, tricking the protocol's resupply mechanism into coughing up funds. Classic 'fake it till you make it'—except they actually made off with $9.5M.

DeFi's Irony: 'Stable'coins Aren't

Yet another 'stable' asset proves anything but. The protocol's safeguards? More like suggestions. Meanwhile, traditional finance bros smirk into their lattes.

What's Next?

Expect the usual cycle: post-mortem, patch, repeat. Until then, remember—in crypto, the only stable thing is the stream of hacks.

Resupply Exploit Linked to Manipulated Price Feed in CurveLend Contract

The Resupply smart contract involved, ResupplyPair (CurveLend: crvUSD/wstUSR), used the manipulated cvcrvUSD price in its calculations.

Once the attacker borrowed the reUSD, the manipulated exchange rate collapsed, triggering a major devaluation of the protocol’s reserves.

Analysts at Blocksec noted that the attacker primarily drained funds from the wstUSR market by exploiting the flawed price logic in the borrowing function.

The stolen reUSD was then swiftly converted into other crypto assets on external markets.

“As a result, the attacker borrowed massive reUSD with just 1 wei of cvcrvUSD as collateral, bypassing the insolvency check,” Blocksec wrote on X.

Resupply acknowledged the breach in a statement and confirmed that the compromised contract has been paused. The team is investigating the incident and has not yet confirmed any recovery plans.

“A full post-mortem will be shared as soon as a complete analysis of the situation has been conducted,” the team wrote.

Resupply will not post any links after this tweet. Links below this tweet that look like Resupply are spam, fake or phishing links. Do not click any LINK under this tweet. pic.twitter.com/FExOvng40U

Fuzzland Reveals $2M Insider Exploit on Bedrock’s UniBTC Protocol

On Wednesday, Fuzzland disclosed that a $2 million exploit targeting Bedrock’s UniBTC protocol in September 2024 was carried out by a former employee posing as an MEV developer.

The attacker used social engineering, inserted malware via a trojanized Rust crate, and maintained undetected access to engineering systems for over three weeks.

The breach culminated in the UniBTC protocol being exploited shortly after Fuzzland discussed a security vulnerability.

Notably, in the first three months of 2025, the crypto ecosystem lost a whopping $1,635,933,800 across 39 incidents, according to the blockchain security platform Immunefi.

Most of that was the result of only two hacks of two centralized exchanges. Phemex suffered a $69.1 million loss in January, while Bybit lost $1.46 billion in February.

Subsequently, the total number of losses in the first quarter marks a 4.7x increase compared to Q1 2024. At that time, hackers and fraudsters stole $348,251,217.

Notably, experts assume that the infamous North Korean Lazarus Group is behind the two largest attacks. They stole $1.52 billion, or 94% of total losses.