TLDR
- An attacker exploited Resolv’s USR minting contract, creating ~80 million unbacked tokens from just $200,000 in USDC
- The attacker converted the tokens into 11,409 ETH worth roughly $25 million
- USR crashed to $0.025 on Curve Finance before partially recovering to around $0.85
- Resolv paused all protocol functions; its collateral pool is said to be intact, but USR holders faced immediate losses from supply dilution
- DeFi protocols including Morpho, Lido, and Aave moved to clarify or limit their exposure
On Sunday, an attacker exploited a flaw in the minting contract of Resolv’s USR stablecoin, creating around 80 million unbacked tokens and walking away with roughly $25 million in Ether.
The attack started at approximately 2:21 a.m. UTC. The attacker deposited 100,000 USDC into Resolv’s USR Counter contract and received 50 million USR back — about 500 times more than expected. A second transaction minted another 30 million tokens.
The attacker then swapped the minted USR for USDC and USDT across decentralized exchanges, then converted everything into ETH. The attacker’s wallet holds 11,409 ETH, worth about $23.7 million at the time of publication.
USR, which is designed to hold a $1 peg, dropped to $0.025 on Curve Finance within 17 minutes of the first mint. It later recovered to around $0.85 but had not fully restored its peg by Sunday morning.
We are currently investigating a security incident involving unauthorized minting of USR.
At this stage:
The collateral pool remains fully intact. No underlying assets have been lost.
The issue appears isolated to USR issuance mechanics.
Our immediate priority is to:
1)…
— Resolv Labs (@ResolvLabs) March 22, 2026
Resolv Labs said on X that it had paused all protocol functions. The team stated that the collateral pool “remains fully intact” and that there were “no underlying assets” lost. The issue was described as “isolated to USR issuance mechanics.”
However, analysts noted that existing USR holders were still hurt. The 80 million new tokens diluted the supply, and the attacker’s selling wiped out pool liquidity. Anyone holding USR during the attack faced immediate losses.
Weak Access Controls Identified as Root Cause
Onchain analyst Andrew Hong attributed the breach to a privileged account called the SERVICE_ROLE. That account was controlled by a single externally owned account, not a multisig. The minting contract had no oracle checks, no amount validation, and no maximum mint limits.
Security firm Pashov, which audited Resolv’s staking module in July 2025, told Cointelegraph that the root cause appeared to be a private key compromise rather than a flaw in protocol design.
Cyvers CEO Deddy Lavid said: “Audits alone are not enough. If you’re not monitoring minting and supply in real time, you’re blind when it matters most.”
Resolv’s website lists 14 audit engagements from five firms, a $500,000 bug bounty on Immunefi, and continuous smart contract monitoring.
DeFi Protocols Move to Limit Exposure
Multiple DeFi platforms moved quickly after the exploit. Lido said user funds in Lido Earn were safe. Aave founder Stani Kulechov said the platform had no direct USR exposure and that Resolv was repaying its debt. Morpho co-founder Merlin Egalite said only certain vaults had exposure.
Cascading Risks in Lending Markets
USR and its staked version wstUSR were accepted as collateral on platforms including Morpho and Gauntlet. Analysts noted that traders may have bought USR at its discounted price and borrowed USDC against it at the $1 valuation, draining liquidity from those vaults.
Resolv’s junior insurance tranche, RLP, also faces potential losses. Stream Finance, which holds a 13.6 million RLP position worth roughly $17 million, could expose its depositors to further losses. Stream previously disclosed a $93 million loss in November 2025.
The RESOLV governance token fell about 8.5% in the 24 hours following the exploit.
The Resolv incident is part of a wider trend. An Immunefi report last week found the average crypto hack now costs about $25 million, with the top five exploits in 2024–2025 accounting for 62% of all stolen funds.
