A Hacker Turned $4,000 Into $9.5M in 90 Minutes — And Resupply's Team Didn't Even Chase Them

A hacker walked out of Resupply with $9.5 million today using a flash loan that cost them $4,000 and a collateral position worth exactly 1 wei — the smallest possible unit of value on Ethereum.

The exploit lasted roughly 90 minutes from vault deployment to full drain. The team’s response? A brief tweet. No bounty. No on-chain negotiation. Just silence.

The community is furious.

What Happened

Resupply is a stablecoin lending protocol and sub-DAO of Convex and Yearn Finance. It lets users deposit yield-bearing assets, then borrow reUSD, Resupply’s native stablecoin, against them.

On June 26, a governance vote approved the deployment of a new lending market for wstUSR — a wrapped staked USD token. The vault went live. Ninety minutes later, it was empty.

The Attack — Step by Step

This is an ERC-4626 donation attack, a class of exploit that’s been documented for years. Resupply deployed a fresh vault with no initial liquidity and no protection against it.

Here’s exactly how the attacker moved:

1. Borrow $4,000 in USDC via a flash loan from Morpho
2. Convert to crvUSD, then donate 2,000 crvUSD directly into the empty vault
3. Deposit 2 more crvUSD → receive exactly 1 wei of cvcrvUSD vault shares

Here’s the trick: in an empty vault, a small donation has a massive distorting effect on share price. Before the donation, 1 share = 1 token. After the donation of 2,000 crvUSD into an essentially empty pool, 1 share suddenly represents 2,000 tokens. The vault’s price-per-share is now wildly inflated.

4. Use that 1 wei of cvcrvUSD as collateral in Resupply’s lending contract
5. Borrow 10,000,000 reUSD — Resupply’s own stablecoin — against that collateral

Because the vault’s collateral valuation logic trusted the inflated share price, it let the attacker borrow tens of millions against a fraction of a cent worth of collateral. Resupply’s solvency checks never fired.

The attacker repaid the flash loan, kept the spread, and walked away with ~$9.5 million.

The Aftermath Nobody Expected

The numbers tell the story:

• Resupply’s TVL collapsed from $135M to $85M — a $50M drop in user trust overnight
• The RSUP governance token shed the majority of its market cap, falling to $7 million total
• The Resupply team issued a single tweet. No hacker bounty was posted. No on-chain message to the attacker. No recovery efforts made public.

That last part is what triggered the community. The standard playbook after a DeFi exploit is to post an on-chain message offering a white-hat bounty (typically 10-20%) and set a deadline. Resupply did none of this. Users who lost funds have been left with almost no information.

A separate dispute involving Curve Finance over the $9.3M exploit eventually ended up in Singapore court — a sign of how contentious the fallout became.

This Vulnerability Is Not New

The ERC-4626 donation attack is not a zero-day. It’s a documented, well-understood vulnerability pattern. Protocols like Silo Finance and others have been warned about it repeatedly by auditors.

The fix is straightforward: implement virtual shares or a minimum initial deposit during vault construction. These mechanisms simulate starting liquidity so that early donations can’t skew the share price into the stratosphere.

Resupply’s wstUSR vault had neither.

This is the part that stings: the DAO voted to deploy this market. The governance process approved it. The vault launched unprotected. And within an hour and a half, it was gone.

BlockSec’s post-mortem noted that real-time monitoring could have flagged the abnormal vault share price spike within seconds of the donation — potentially triggering an automatic pause before the borrow transaction went through. That tooling existed. It wasn’t wired in.

Why This Matters for Crypto Jobs

Every major DeFi exploit is a job posting in disguise. The Resupply hack is going to accelerate hiring across a specific slice of crypto security:

Smart Contract Auditors — demand has never been higher, and the backlog at top-tier firms (Trail of Bits, Spearbit, Sherlock, Code4rena) is already months long. If you have Solidity auditing skills, you’re sitting on a goldmine right now.

Protocol Safety Researchers — protocols need people who know the ERC-4626 attack surface, MEV exposure, oracle manipulation, and flash loan vectors. These aren’t auditors in the traditional sense — they’re researchers embedded in dev teams.

DeFi Security Engineers — writing the real-time monitoring, circuit breakers, and invariant testing that would have stopped this. Foundry-fluent security engineers who can write invariant fuzz tests are rare and extremely well-compensated.

Incident Response Specialists — Resupply’s communication failure was almost as damaging as the hack itself. Protocols are starting to hire people whose job is specifically to manage exploit response, community communication, and fund recovery operations.

Governance Risk Analysts — the wstUSR vault was approved through a DAO vote. Nobody flagged the security properties of the deployment. This is an emerging role: analyzing governance proposals for risk before they execute.

The brutal truth: DeFi is building faster than it’s securing. Every protocol that ships without invariant testing, real-time monitoring, or a proper audit backlog is one governance vote away from becoming the next Resupply.

---

If you’re a security researcher, auditor, or DeFi engineer — the demand for your skills is at an all-time high. Browse open roles at cryptogrind.com and find the team that needs you before the next exploit does.