ResupplyFi: ERC4626 Donation Attack (Vault Inflation / Zero Exchange Rate)
ResupplyFi lost $9.8M in two hours when an attacker donated spare change to a freshly deployed vault, inflated its share price to infinity, and borrowed the entire market with 1 wei of collateral.
Summary #
ResupplyFi suffered a Lending on 2025-06-25, resulting in a loss of approximately $10M.
What happened #
ResupplyFi lost $9.8M in two hours when an attacker donated spare change to a freshly deployed vault, inflated its share price to infinity, and borrowed the entire market with 1 wei of collateral.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — wstUSR market contract deployed ~2 hours before exploit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — wstUSR market contract deployed ~2 hours before exploit]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown — not mentioned in source]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: New market deployed ~2 hours before exploit (detectable on-chain); Tornado Cash funding of attacker address]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — oracle reported astronomically inflated price for newly donated vault; any oracle sanity check would have flagged price as unrealistic]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — integrates crvUSD/Curve infrastructure; ERC4626-based]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — wstUSR market contract deployed ~2 hours before exploit]