Resupply protocol outlines recovery plan post $10M exploit, proposes $6M token burn

The decentralized stablecoin protocol recently hit by a multi-million-dollar exploit has presented a formal recovery plan to address the fallout.

According to Resupply’s latest announcement, the recovery plan will focus on stabilizing the protocol’s finances and supporting affected users.

At the core of the plan is a proposal to burn $6 million reUSD from the protocol’s insurance pool, which currently holds about $38.7 million. The exploit, which took place on June 25, 2025, resulted in losses reaching $10 million. Of this, the protocol emphasized that $2.87 million has already been repaid by the treasury and partners, leaving roughly $7.13 million.

The proposed six million burn would cover the majority of that debt, while the remaining $1.13 million would be carried by the DAO and gradually repaid using future revenue sources such as protocol fees or potential RSUP token sales.

All actions in the recovery plan are subject to governance vote. To speed up implementation, the team is proposing a shortened three-day voting period, rather than the usual seven.

If approved, the token burn will take place immediately, and insurance pool withdrawals, which were paused after the exploit, could resume within the original seven-day cooldown window.

How the Resupply exploit happened

According to the protocol’s post-mortem report, the attacker exploited a vulnerability in the crvUSD-wstUSR market. The exploit was made possible because the underlying CurveLend vault had no prior deposits, allowing the attacker to manipulate how the share value was calculated.

By donating a large amount of crvUSD to the vault and minting just 1 wei of shares, the attacker artificially inflated prices to make the collateral appear more valuable than the actual deposit.

While the oracle correctly reported the inflated value, a rounding issue in the contract’s exchange rate calculation caused the value to resolve to zero. This zero value broke the protocol’s solvency check, making every loan request appear safe. With the bypass, the attacker was able to borrow up to the pair’s full $10 million reUSD debt limit. 

Resupply stressed that the scheme was not a typical inflation attack, but a more targeted and sophisticated design aimed at nullifying the solvency logic.

“The exploit flow involved inflation of the CurveLend collateral shares, but differed from a classical ‘inflation attack’ as it was carefully designed to nullify a borrower solvency check,” Resupply stated.

The team added that the stolen funds remain on-chain and are actively being monitored. Furthermore, stronger security measures will be deployed going forward to permanently defend against similar exploits.