The recent @ResupplyFi hack shows how a simple integer division can lead to catastrophic vault manipulation. A $9.56M exploit executed within hours of deployment. Let's break down this critical ERC4626 vulnerability ↓

2/ Attack vector: ERC4626 "first donation" manipulation: • Empty vault at deployment • Attacker deposits 1 wei • Makes large asset donation • Share price inflates astronomically • Protocol's exchange rate calculation breaks

3/ The vulnerability in one line: _exchangeRate = 1e36 / IOracle(_exchangeRateInfo.oracle).getPrices(address(collateral)); Integer division without rounding protection → exchange rate rounds to zero when oracle price is too large.

4/ The exploit chain: 1. Deposit 1 wei into empty vault 2. Donate to inflate share price 3. Oracle reports inflated price 4. Exchange rate = 0 due to division 5. LTV check: 0 <= maxLTV (always true!) 6. Unlimited borrowing unlocked

5/ Prevention is simple: _exchangeRate = 1e36 / price; require(_exchangeRate 0, "Invalid rate"); Also: • Enforce minimum deposits • Add share ratio checks • Monitor vault liquidity

6/ Key lesson: ERC4626 vaults need extra protection at deployment. The "first depositor" problem isn't new, but ResupplyFi shows how it can cascade into a critical vulnerability. Read the full technical analysis on our blog: