Reentrancy vulnerability in vault withdrawal function drained $13M
Resolv Protocol suffered a $13 million exploit due to a reentrancy vulnerability in its delta-neutral vault contracts. The attacker deposited funds into the vault, then initiated a withdrawal that triggered a callback to a malicious contract. Before the vault could update the attacker's balance, the malicious contract re-entered the withdrawal function repeatedly, extracting far more than their original deposit. The attack was executed across multiple transactions to avoid gas limits, draining approximately $13 million in ETH and USDC.
Stolen ETH and USDC were swapped for ETH and then bridged to Bitcoin via THORChain. The attacker used cross-chain swaps to fragment the trail, converting portions to XMR through decentralized exchanges. A significant amount was deposited into Tornado Cash within hours of the exploit. The speed and sophistication of the laundering suggested an experienced attacker with established infrastructure.