In a fresh development tied to one of June’s notable DeFi breaches, the hacker behind the ResupplyFi exploit has moved to obscure nearly $10 million in stolen funds. Blockchain security firm PeckShield reported on August 12 that the attacker transferred 2,280 ETH, valued at approximately $9.8 million, through Tornado Cash, a controversial privacy tool often linked to illicit activities.
The laundering began earlier that day when an address labeled “ResupplyFi Exploiter 3” shifted 1,000 ETH—worth about $4.3 million at the time—to an intermediate wallet before initiating deposits into Tornado Cash. Within minutes, the full amount followed suit, with on-chain data showing repeated transfers in batches of 100 ETH and smaller increments to Tornado Cash’s router contracts.
This move comes amid heightened scrutiny of Tornado Cash, which has been sanctioned by the U.S. Treasury since 2022 for facilitating money laundering, though it remains operational on the Ethereum network.
ResupplyFi, a decentralized stablecoin protocol built to integrate with Curve Finance’s ecosystem, allows users to supply assets like crvUSD and borrow against them in a reUSD stablecoin. The protocol aims to provide efficient lending and borrowing options, but its launch was marred by security issues. On June 26, 2025, just hours after deploying a new vault for crvUSD collateral, an attacker exploited a critical flaw in the system’s ERC-4626 standard implementation.
The vulnerability stemmed from how ResupplyFi calculated exchange rates for its vaults. Attackers could donate large amounts to a low-liquidity vault, inflating the price per share and causing integer division errors in Solidity code. This manipulation set the exchange rate to zero, bypassing solvency checks and enabling the hacker to borrow millions in reUSD with minimal collateral—essentially one wei (the smallest Ethereum unit).
The exploit drained about $9.6 million to $9.8 million from the protocol, primarily in crvUSD, which the attacker quickly swapped for ETH and dispersed across wallets.
In the immediate aftermath, ResupplyFi paused affected markets and investigated the breach. Curve Finance, while not directly responsible, expressed support for the project, noting its benefits to crvUSD adoption. Some users criticized the team’s handling, including attempts to cover losses via an insurance pool meant for market risks, not technical failures. Founder Michael Egorov of Curve proposed forming a dedicated audit team for ecosystem projects to prevent similar incidents. Despite audits from reputable firms, the bug slipped through, underscoring persistent challenges in DeFi smart contract security.
The hacker’s funds lay dormant for weeks until this week’s activity. Etherscan records for the intermediate address (0x5f0bac6d1937667b401d17135eea1941af0ce943) reveal an inbound transfer of 1,279 ETH followed by rapid outflows to Tornado Cash in denominations designed to maximize anonymity—common tactics include 10 ETH and 100 ETH batches to avoid detection patterns. Tornado Cash mixes transactions by pooling deposits and withdrawing to new addresses, breaking traceable links on the blockchain.
This incident fits into a broader 2025 trend where DeFi hacks have exceeded $2 billion in losses, with June alone seeing $111.6 million stolen across multiple protocols. Experts warn that low-liquidity deployments remain a prime target for donation attacks, recommending minimum liquidity thresholds and stricter oracle validations as safeguards.
While recovery efforts for ResupplyFi users continue, the laundering complicates tracing. Blockchain analysts like PeckShield and CertiK have flagged the addresses, but Tornado Cash’s design makes full recovery unlikely. The event renews calls for enhanced DeFi protocols, including better deployment practices and real-time monitoring to thwart exploits before they escalate.
As of August 12, ETH traded around $4,300, underscoring the significant value at stake. ResupplyFi has not issued an official statement on the latest developments, but the protocol’s team previously committed to prioritizing user protections in future updates.
Join our Telegram Channel