DeFi protocol Resupply has publicly detailed a comprehensive recovery plan following a significant $10 million exploit that occurred on June 26, 2025. This multi-faceted strategy encompasses the burning of a substantial portion of its reUSD bad debt and the commencement of a compensation program for affected users, underscoring a proactive effort to re-establish financial stability and user confidence in the aftermath of the security breach.
The Incident and Immediate Response
The exploit, executed on June 26, 2025, capitalized on an oracle manipulation vulnerability within the protocol’s infrastructure. The attacker specifically targeted Resupply’s oracle contract logic, artificially inflating the value of crvUSD. This manipulation effectively drove the exchangeRate variable to zero, enabling the perpetrator to secure an unauthorized loan of 10 million reUSD using negligible collateral—specifically, just 1 wei. Remarkably, the breach was identified and critical patches were deployed within an hour of its occurrence. Resupply’s development team has since confirmed that the illicitly acquired funds remain fully traceable on-chain, offering a potential avenue for recovery.
Immediately following the incident, Resupply’s developers took decisive action by resetting interest rates to zero, a measure designed to halt the further accumulation of bad debt. Concurrently, a portion of the incurred debt was repaid using resources from the protocol’s treasury. Furthermore, critical fixes were swiftly implemented across key core contract functions, specifically ResupplyPairCore.sol and ResupplyPairDeployer.sol. According to official statements, the total outstanding bad debt is currently recorded at 7.1 million reUSD. Of this amount, 2.86 million reUSD has already been successfully covered by combined treasury contributions from Resupply itself, Convex, and C2tP.
Recovery Strategy and Market Reaction
To comprehensively address the residual deficit, the Resupply team has put forth a proposal to burn 6 million reUSD. This proposed burn represents approximately 15.5% of the protocol’s dedicated insurance pool. The remaining segment of the bad debt is slated for absorption by the protocol’s Decentralized Autonomous Organization (DAO), with resolution anticipated through future revenue streams, potentially including over-the-counter (OTC) sales of the native RSUP token. Should this proposal receive approval, it is structured for rapid deployment, becoming effective just three days post-vote. This expedited timeline aims to minimize the duration of fund lockup for users. Additionally, an incentive program, leveraging RSUP tokens, is being developed to specifically compensate participants impacted by the reUSD burn.
Notably, despite the substantial security breach, Resupply’s Total Value Locked (TVL) has demonstrated remarkable resilience. Data from prominent analytics platform DeFiLlama indicates a notable increase in TVL, rising from $77.03 million to $83.04 million since June 27, 2025—the day immediately following the incident. This swift and positive trajectory in TVL serves as a strong indicator of market confidence in Resupply’s proactive remediation strategies and its inherent capacity to effectively navigate significant security challenges within the dynamic decentralized finance landscape.
Senior Crypto Correspondent with over 8 years of experience covering Bitcoin, altcoins, and blockchain technology for leading financial publications. Alexander holds a master’s degree in Financial Economics and specializes in in-depth market analysis, regulatory updates, and interviews with top industry figures.