HACKING NEWS

Resupplyfi Nuclear Analysis -Ackee Blockchain

By 2 Mins Read
Resupplyfi Nuclear Analysis -Ackee Blockchain
On June 26, 2025, the cost of a single water purification department is $ 9.56m. The attacker exploited the ERC4626 “First Donation” vulnerability in the ResupplyPair Contract (0x6e90c) of CVCRUSD Vault. They stole $ 10 million from one flash loan trading (0xFFBD).

How did this happen?

The Resupplyfi protocol includes vulnerabilities in the ERC4626 safe collateral processing, allowing the attacker to manipulate the exchange rate and bypass the LTV (Loan-TO-VALUE) inspection, which causes unauthorized borrowing. This vulnerability was successfully used as a real attack, resulting in $ 95.6 million in just a few hours after the protocol deployment.

Details of vulnerability

1. Calculation of exchange rates

location: ResupplyPaircore.sol: 573

_exchangeRate = 1e36 / IOracle(_exchangeRateInfo.oracle).getPrices(address(collateral));

problem: If the prices of Oracle are very large due to the integer department without rounding protection, the exchange rate drops to zero.

2. ERC4626 Donation Attack Vector

location: ResupplyPaircore.sol: 155-156

underlying = IERC20(IERC4626(_collateral).asset());
This protocol accepts the ERC4626 safe as collateral, vulnerable to donation attacks. In the actual abuse, the attacker aimed at the vault, which is almost empty when distributed.

-The attacker can donate assets directly to the safe.

-This is a significant expansion of the price per share

-Oracle accurately reports the expansion price

-Crelmented exchange rate calculation: `1E36 / exth_large_number = 0`

3. Test of broken payment ability

location: ResupplyPaircore.sol: 282

uint256 _ltv = ((_borrowerAmount * _exchangeRate * LTV_PRECISION) / EXCHANGE_PRECISION) / _collateralAmount;
return _ltv <= _maxLTV;

when _EXCHANGERATE = 0

-LTV calculation:

(_borrowerAmount * 0 * LTV_PRECISION) / EXCHANGE_PRECISION / _collateralAmount = 0

– check: 0 <= _maxltv always Returns the truth

result: All collateral allows unlimited borrowing

Attack scenario

target: cvcrvusd ERC4626 safe (almost empty when distributed)

1. Initial operation:

The attacker made a big donation to artificially expand the ‘Pricepershare’ after depositing one WEI in the empty CVCRVUSD safe.

2. Exchange rate:

Attacker:

-An called borrow() Newly deployed ResupplyPair

-Triggered Oracle Price Fetch: GetPrices (address (collateral))

-The price is very high due to donation inflation

_EXCHANGERATE = 1E36 / Price Solidity Floor Division was calculated as 0

3. Solvency bypass:

_issolvent () Inspired inspection used _EXCHANGERATE = 0

-LTV calculation:

(_borrowAmount * 0 * LTV_PRECISION) / EXCHANGE_PRECISION / _collateralAmount = 0

– check 0 <= _maxltv Always return the truth

4. Bulk:

The attacker used only one WEI collateral to borrow $ 10 million in reuse to exchange and redistribute the stolen funds. This led to A Final profit 9.56 million It is divided into several addresses.

General attack pattern

1. Target new or low liquid ERC4626 vault.

2. Donate a large amount of basic assets to expand the stock price.

3. Sharing mint minimum safe (1 Wei)

4. Oracle prices expand to astronomical levels

5. The exchange rate due to the integer department drops to zero.

6. Minimal collateral and bypass LTV inspection

7. Borrow the maximum available funds

Recommendation

Immediate relief

1. Add the exchange rate floor

_exchangeRate = 1e36 / IOracle(_exchangeRateInfo.oracle).getPrices(address(collateral));
require(_exchangeRate > 0, "Invalid exchange rate");
_exchangeRate = _exchangeRate == 0 ? 1 : _exchangeRate;

2. Add the minimum mortgage requirements

Enforce the minimum deposit for ERC4626 and implement a share/asset ratio.

reference

-ERC4626 Standard: https://eips.ethereum.org/eips/eip-4626

-RESUPPLYFI official response: https://x.com/resupplyfi/status/193809252431036491

-Standum safe: CVCRVUSD ERC4626 Vault

Share.

Related Posts

Add A Comment

Comments are closed.