The Resupply attacker followed a common attack playbook. When a new vault is deployed by a protocol, it has very low liquidity. As a result, even small changes to the balance of the vault can have an outsized effect on how it values tokens. In this case, the target vault was deployed only two hours before it was exploited, meaning that it held negligible value.

The Resupply hacker took advantage of this by making a donation to the vault and minting a single wei of shares. As a result, that wei was considered equivalent in value to the 2,000 crvUSD that the vault held due to the attacker’s donation.

When the protocol calculated exchange rates for the vault, it did so by dividing 1e36 by the perceived value of a token. The attacker’s donation caused the perceived value to be 2e36. Since the smart contract uses integer division, 1e36/2e36 is rounded down to zero.

With an exchange rate of zero, users can deposit a negligible amount of collateral to take out massive loans. The attacker exploited the vulnerability by depositing 1 wei of crcrvUSD to borrow all of the value stored in the protocol, worth an estimated $9.8 million.

After extracting funds from the protocol, the attacker distributed them to two addresses. Then, these tokens were sent to Tornado Cash for laundering, destroying the attacker’s trail.

The Resupply hack is a classic example of a malicious donation attack on a newly deployed vault. Without proper protections in place, small manipulations of the vault’s value allow an attacker to manipulate the exchange rate and steal from the protocol.

This is a well-known type of attack, and best practices are well-established. After deploying a vault, a project can prevent this type of exploit by introducing some liquidity into the vault. This raises the amount that an attacker has to donate to make a meaningful impact on the exchange rate, making the attack more expensive and less feasible to perform.

This type of attack is made possible by an insecure value calculation and weak deployment processes. For help ensuring that your code is secure and properly deployed, reach out to Halborn.