🚨 How a Single Wei Broke ResupplyFi: Inside the $9.6M DeFi Price Manipulation Heist

On June 26, 2025, ResupplyFi—a decentralized stablecoin and lending protocol—became the latest victim in a string of DeFi price manipulation attacks, losing an estimated $9.6 million from its wstUSR lending market.

But this wasn’t a typical exploit. This was a surgical, precision-driven manipulation that started with just 1 wei and ended in millions.

Here’s how it happened, why it worked, and what this means for the future of DeFi.

🧨 The Attack at a Glance

• Target: ResupplyFi’s wstUSR market

• Method: Oracle manipulation via ERC-4626 vault logic bug

• Funds lost: ~$9.6 million in reUSD

• Exploited function: _updateExchangeRate() in ResupplyPair contract

• Timeline: Single transaction drain within minutes

🛠️ How the Exploit Worked

At the heart of the attack was a poorly designed exchange rate oracle within ResupplyFi’s vault contract. Specifically, the exchangeRate was derived using a value called pricePerShare, common in ERC 4626 vaults.

But here’s the catch:

➤ The attacker deposited 1 wei into an almost empty vault.

This gave them control over how the vault's pricePerShare would respond to subsequent “donations.”

➤ Then, they made a large “donation” to the vault.

This artificially inflated the share price, skewing the oracle rate. Because of a logic flaw, the protocol calculated the exchangeRate as 0, tricking the system into thinking the collateral was worthless.

➤ Result:

The attacker borrowed $10 million worth of reUSD against 0 value collateral.

⚠️ What Went Wrong?

• Broken Oracle Assumptions: The system trusted pricePerShare as a real-world oracle without validation.

• No Lower Bound Check: Allowing exchangeRate to drop to zero effectively bypassed the collateralization check.

• Missing Guardrails: There were no sanity limits on extreme values coming from vault math.

💸 The Drain & Laundering

The attacker didn’t stick around.

They quickly converted stolen reUSD into ETH

Funds are now sitting at

1. 0x886f786618623fffb2be59830a47661ae6492e16
2. 0x31129a5c13306a48e827e851d44e19ca07d4928a

🧠 Lessons for the DeFi World

This hack joins a growing list of oracle manipulation exploits where DeFi protocols underestimate how easily “trusted” math can be gamed in low-liquidity or edge-case scenarios.

✅ Key takeaways for builders:

• Never trust raw vault math without bounds.

• Validate pricePerShare with a circuit breaker or floor value.

• Use multiple oracles for redundancy.

• Simulate edge cases with small deposits in testing environments.

🗣️ Final Thoughts

The ResupplyFi exploit is another reminder that a single wei, when paired with flawed logic, can dismantle an entire system.

As DeFi continues to innovate, we must slow down and ensure that core primitives like oracles, vaults, and pricing logic are built with security-first principles.

If not, there will always be someone waiting to turn one wei into one more heist.