Decentralized stablecoin protocol Resupply has revealed a formal recovery plan aimed at restoring financial stability and supporting affected users after a $10 million exploit rocked the protocol on June 25.
Core of the Plan: $6M Token Burn
In a statement released today, Resupply outlined its proposal to burn $6 million worth of reUSD from its insurance pool, which currently holds approximately $38.7 million. This burn would address the bulk of the remaining losses stemming from the exploit, with the protocol treasury and partners having already repaid $2.87 million. That leaves an outstanding shortfall of $7.13 million, of which the token burn would cover the lion’s share.
The remaining $1.13 million is expected to be gradually repaid by the DAO using future revenue streams such as protocol fees or potential RSUP token sales.
Governance Vote and Fast-Track Implementation
All proposed measures are subject to a community governance vote, though Resupply’s team is recommending a shortened three-day voting window, rather than the usual seven days, to ensure rapid implementation.
Should the vote pass, the token burn would be executed immediately, and withdrawals from the insurance pool currently paused could resume within the standard seven-day cooldown period.
Inside the Exploit: CurveLend Vulnerability
According to a detailed post-mortem report, the attacker targeted the crvUSD-wstUSR market, leveraging a vulnerability in the CurveLend vault specifically, one that had no prior deposits. This allowed the attacker to manipulate the way share value was calculated.
The attacker donated a large amount of crvUSD and minted just 1 wei of shares, which drastically skewed the perceived value of the vault’s collateral. Although the price oracle accurately reported the inflated value, a rounding error in the exchange rate contract logic resolved the value to zero, effectively nullifying the solvency check meant to protect the protocol.
With solvency logic bypassed, the attacker successfully borrowed up to the $10 million reUSD debt ceiling, draining the system.
Not a Typical Inflation Attack
Resupply clarified that the exploit was not a standard token inflation attack, but a precision-engineered exploit that took advantage of the protocol’s architecture and rounding logic.
“The exploit flow involved inflation of the CurveLend collateral shares but differed from a classical ‘inflation attack’ as it was carefully designed to nullify a borrower solvency check,” the team stated.
Security Measures and On-Chain Monitoring
Resupply emphasized that the stolen funds remain on-chain and are actively monitored. As part of its recovery and defense strategy, the team has committed to deploying stronger security measures to prevent similar attacks in the future.
DeFi Still in the Crosshairs
The incident adds to the mounting toll of DeFi hacks in 2025, with blockchain intelligence firm TRM Labs recently reporting over $2.1 billion in losses due to exploits in the first half of the year alone.
As Resupply seeks to recover and rebuild trust, the community now turns to governance to vote on the swift implementation of the proposed recovery strategy a crucial test of resilience for both the protocol and its decentralized stakeholders.
