Resupply Exploit Turns 1 Wei Into $10 M: How the Hack Hit DeFi’s Yield Hunters
The FHFA just okayed crypto as mortgage reserves while Resupply lost $9.6M to a vault exploit. Who’s winning the cycle?
GM Squids!
Resupply protocol just lost $9.6M overnight and it’s a bummer.
Today, we give you details on how the hack happened. We’ll also give you details on Fannie Mae’s move to count BTC in mortgage reserves, zkLend’s shutdown, and Sky’s $1B CLO rollout.
Let’s get into it.
Resupply Exploit: How to Turn One Wei Into $10M
The Resupply exploit hits home for us. Convex + Yearn are one of the best teams in DeFi and this hack just goes to show how hard it is to build in crypto. You don’t get to throw your hands in the air and start over.
While the hack sucks for everyone involved, it’s not a death sentence for the protocol. The bugs will be fixed, but it will take time for the market to trust the contracts again.
For newbies out there, this is what makes investing in crypto so difficult.
You want to jump into these brand new pools, with high yields. But as a rule of thumb, a project with new and novel contracts faces the greatest amount of risk within the first year. If a project survives that period, the contracts are most likely safe (but not always).
Earlier this year I was chatting with a friend of mine and brought up investing into resupply, he suggested waiting a few months to see how the contracts fared. Ultimately he was correct.
Sometimes doing nothing in crypto is the better option.
Resupply is a stablecoin lending protocol that lets users deposit crvUSD into Curve vaults, earn yield, and borrow reUSD against staked assets like cvcrvUSD. That last one $cvcrvUSD is a Convex wrapper for $crvUSD with a floating exchange rate. It doesn't rebalance your wallet; it just makes each token worth more over time.
Unfortunately there was an issue with the pricing. Resupply blindly trusted the internal reported prices on these vaults.
Knowing this, here’s what the attacker did:
Funded an address through Tornado Cash.
Donated a chunk of crvUSD into the cvcrvUSD vault without minting new shares.
This jacked up the vault’s internal asset count and inflated the per-share price. Resupply’s contracts slurped up that inflated price without question. So when the attacker deposited one wei of cvcrvUSD, the system thought it was worth millions.
The contract said “looks good” and handed over 10 million reUSD!
The attacker converted the funds into ETH and scattered them across wallets. Fortunately, only the wstUSR market got hit directly. But unfortunately, confidence has collapsed. So far, TVL has dropped from $135M to $78M in 48 hours.
The team has paused the contract and issued a statement promising a post-mortem.
zkLend succumbs to the death spiral
zkLend, Starknet’s first big money market, just unplugged life support. Treasury’s down to $200K. Token’s been delisted. Users are gone. There’s no coming back.
The death spiral started in late 2024, when zkLend got clipped by a decimal precision bug. It was a rounding error in its accumulator logic that let an attacker multiply their balance with every withdrawal. By gaming integer division and looping deposits in an empty wstETH market, they inflated their internal scorecard and drained the protocol dry. Withdrawals were halted. Damage control kicked in and lasted for a while.
But the hit was too deep. Even after patching the contracts, users didn’t return. TVL flatlined. Liquidity dried up. Then came the kill shot: Bybit and KuCoin delisted ZEND, cutting off the last liquidity lifeline for the token.
TVL on Starknet also has collapsed, dropping 60% since late 2024.
With no runway and no credibility, the team chose the only move left: shut it down. What’s left of the treasury is going to a recovery fund. The codebase will be open-sourced. Claim portals are still up for unstaking. The team is working with zeroShadow to track the stolen funds.
This is the first full-blown Starknet-native protocol to go under. We kind of believe it won’t be the last.
Which just goes to show how hard it is to bootstrap a new L1/L2. Money is hot at first, but all it takes is a few bad events and momentum is wiped out.
Sky’s $1B CLO Deployment via Grove – DeFi’s Most Institutional Play Yet
While half the market is farming dog coins and yaps, Sky just dropped a billion dollars into institutional-grade credit markets.
Sky’s collateral backing now will flow into the Janus Henderson Anemoy AAA CLO Strategy; a tokenized collateralized loan obligation fund built with Centrifuge, and funnelled through a new protocol called Grove.
Grove’s the real story here.
Built by Steakhouse Financial, it’s basically a non-custodial TradFi bridge. It lets protocols allocate into real-world debt like CLOs, bundles of corporate loans, without touching banks or KYC desks.
The vaults stay tokenized. The access stays liquid. And the backend yield is pure Wall Street.
Also, if you had any of the following on April 15 (2023, 2024, or 2025) at exactly 23:59:59 UTC:
$1,000+ in USDS, sUSDS, sUSDC, sDAI, xDAI, or SAI
or $10,000+ in DAI
You’re probably eligible for the sparkdotfi Ignition Airdrop.
Claim the bag here.
FHFA: Crypto Can Now Back Your Mortgage!
In what we’ve all been dreaming about for a decade now, the U.S. Federal Housing Finance Agency just told Fannie Mae and Freddie Mac to include crypto in mortgage reserve models.
It’s official. Directive No. 2025-360. Signed June 25.
Here’s what it means:
Crypto held on U.S.-regulated centralized exchanges counts towards one’s assets when applying for a loan.
No conversion to USD is required.
Mortgage lenders must create risk models to handle volatility and get them board-approved.
This is the first time federal mortgage underwriting has made room for non-USD crypto assets, and it opens the door for a wave of crypto-infra plays:
Custodians like Coinbase Custody and Anchorage are now de facto mortgage reserve banks.
Protocols working on onchain credit, compliance-stablecoins, or crypto identity frameworks suddenly matter in real estate.
If you’ve been in crypto long enough and made a little bit of money, you probably wanted at some point to buy a house. But under previous rules it was impossible. Imagine have a few mil of Bitcoin sitting in Coinbase, but you can’t even qualify for a mortgage loan cause that’s all the assets you have. Isn’t it ironic.
Good for the Trump admin to be the sane adults in the room when it comes to crypto.