Resupply ERC-4626 Donation Attack

On June 26, 2025, the DeFi lending protocol Resupply — integrated with the Convex and Yearn ecosystems — was drained of approximately $9.8 million in under 90 minutes. The attacker leveraged a classic ERC-4626 donation attack combined with a flawed vault implementation. The target vault had been deployed only 2 hours before the exploit and held negligible value — exactly the conditions the donation attack requires. A $4,000 flash loan turned into a multi-million-dollar heist.

What happened

Resupply allowed users to borrow its reUSD stablecoin against various deposited assets. The protocol used ERC-4626 vault tokens to represent user deposits — a standard pattern where the vault's share price is computed as totalAssets / totalSupply.

The ERC-4626 donation attack is a well-documented vulnerability class that exploits a critical edge case:

• When a vault has very low or zero total supply of shares, donating tokens directly to the vault contract (bypassing the deposit function) can massively inflate the share price.
• An attacker can then deposit a tiny amount, receive minimal shares due to the inflated price, and manipulate the exchange rate to zero through integer division — bypassing solvency checks that depend on price-per-share calculations.

The attack:

1. Targeted the wstUSR vault — a newly-deployed Resupply vault that had been live for only 2 hours and held essentially no value.
2. Took a $4,000 flash loan for the operational capital.
3. Donated tokens directly to the wstUSR vault, inflating its totalAssets without minting new shares.
4. The vault's price-per-share calculation went to extreme values — and through integer division errors in the Solidity math, ultimately to zero.
5. With the exchange rate at zero, Resupply's solvency checks passed any borrow operation — the protocol believed the attacker's collateral was worth infinitely more than the debt being created.
6. Borrowed millions in reUSD against essentially one wei of collateral, then swapped the reUSD for crvUSD and ETH through DEX aggregators.

Net theft: approximately $9.6-9.8 million. 2,280 ETH was bridged to Tornado Cash within hours of the drain.

Aftermath

• Resupply paused affected vault operations as the exploit was detected.
• The team published a post-mortem identifying the freshly-deployed wstUSR vault as the entry point.
• No public recovery — funds were laundered through Tornado Cash within the day.

Why it matters

The Resupply incident is one of the cleanest cases for why newly-deployed ERC-4626 vaults are categorically dangerous. The donation-attack vulnerability has been documented since at least 2021 — OpenZeppelin published explicit warnings, audit firms include it on standard checklists, and the canonical mitigations (initial dead-shares minting, virtual shares offset) are well-known.

The conditions that made Resupply vulnerable:

1. Vault deployed without protective initial deposit — the attacker found the vault in its "empty" state where donation manipulation is mathematically devastating.
2. No virtual-shares offset — the Uniswap V4 / Solady "virtual shares" pattern that hardens against donation attacks was not implemented.
3. No deployment-time invariant check — the protocol's deployment script didn't seed each new vault with the small dead-share deposit that would have neutralised the attack.

The structural lesson is operationally simple: every new ERC-4626 vault deployment must include a protective initial deposit, ideally locked permanently to a burn address or DAO multi-sig. The fix is one transaction at deployment time. Skipping it cost Resupply $9.8M.

The pattern recurs across DeFi history — Hundred Finance, Sonne Finance, Onyx Protocol — and continues to produce losses for protocols that ship Compound v2 forks or ERC-4626 implementations without the well-documented mitigations. The cumulative cost of skipping the initial-deposit pattern is, by now, well into the hundreds of millions.