$9.5M Heist Hits Stablecoin Protocol—DeFi’s ’Safe’ Asset Just Got Risky

Another day, another crypto exploit—this time, a stablecoin protocol bleeds $9.5M. So much for 'stable.'

How it happened: Attackers exploited a resupply flaw in the protocol's smart contracts, draining funds faster than a Wall Street exec cashing out bonuses. The breach underscores DeFi's lingering growing pains—even assets pegged to real-world value aren’t immune to chaos.

Why it matters: Stablecoins are meant to be the calm in crypto’s storm. When their protocols crack, the whole ecosystem feels the tremors. Cue the 'we need regulation' chorus—though good luck getting banks and blockchain to agree on what that means.

Bottom line: Until DeFi bridges the gap between innovation and security, exploits like this will keep giving traditional finance ammo to sneer. But hey, at least the hackers had the decency to stick to a round number.

Exploit Details

According to Phalcon, the attacker artificially inflated the price of the cvcrvUSD token through targeted “donations” into an extremely thin or empty market. CertiK corroborated this information, adding that the hacker flashloaned $4,000 USDC from Morpho to initiate the exploit.

They then reportedly used the manipulated price as the denominator in the contract’s exchange rate calculation, and because the system used floor division, it allowed them to round down the rate to zero.

Afterwards, the bad actor is said to have borrowed nearly $10 million worth of reUSD tokens against a negligible amount of collateral, about one wei of cvcrvUSD, completely bypassing any solvency checks. Upon succeeding, they quickly swapped the tokens through Curve and Uniswap for USDC and wrapped ethereum (WETH), generating a net profit in the region of $9.5 million.

Additional analysis from PeckShield indicated that the entry point for the exploit was a transaction on Cow Swap involving 2 ETH, which was then funneled into Tornado Cash for anonymity. After passing through the mixer, the attacker deposited the funds into the exploit contract before using it to trigger the vulnerability that allowed them to borrow and extract some 1,581 ETH.

In a post on X, CertiK noted that the exploiter moved about $5.56 million to one address and $4 million to another, consolidating the funds post-exploit.

Resupply has since confirmed the breach through its official X account. The platform announced it had paused the affected market but maintained that other operations WOULD continue normally. It has also said it will provide a full post-mortem in the next few days.

A Broader Pattern

This latest attack comes just over a week after the $49 million breach of Iranian crypto exchange Nobitex, which was attributed to the pro-Israel hacker group “Gonjeshke Darande.”

Earlier in May, Sui-based DEX Cetus suffered a much bigger exploit, losing about $223 million. In that incident, the unknown culprit reportedly gained control of all SUI-denominated liquidity pools on Cetus before draining them.

Shortly after the attack, with the help of sui validators, Cetus managed to freeze two wallets holding about $162 million worth of stolen cryptocurrencies. However, the thief was still able to bridge nearly $60 million worth of tokens to Ethereum, where they swapped them for ETH. The DEX has since initiated plans to compensate users affected by the attack.

At the same time, bad actors are increasingly targeting trusted crypto information and data platforms. Former Binance CEO Changpeng Zhao recently highlighted the trend, pointing to quick-fire attacks on CoinMarketCap and Cointelegraph to deploy wallet-draining phishing pop-ups, which was a move away from the more familiar direct hacking attempts on crypto exchanges.