A critical vulnerability in Resolv’s USR stablecoin system led to one of the largest decentralized finance breaches in recent months, resulting in the illicit minting of around 80 million unbacked USR tokens and losses amounting to approximately $25 million in Ether for users and the protocol on Sunday.
Large-Scale Exploit and Token Devaluation
The attack started with an initial deposit of 100,000 USDC into Resolv’s minting contract, followed by issuance of roughly 50 million USR—far in excess of proper limits—before a subsequent transaction brought the total to 80 million extra tokens. The perpetrator then swapped the counterfeit tokens for major stablecoins like USDC and USDT across prominent decentralized exchanges, accumulating 11,409 ETH worth nearly $24 million in today’s prices.
USR, intended to maintain a $1 peg, crashed dramatically just 17 minutes after the exploit, plummeting to $0.025 on Curve Finance. Although the token rose back to about $0.85, it remained far below its intended value. The minting attack inflated USR’s supply and undermined user confidence, putting severe pressure on liquidity and token prices.
Resolv Team Freezes Operations
Resolv Labs, the company behind the protocol, is known for its USR stablecoin and RLP junior insurance tranche, both designed to enhance DeFi stability. The team suspended all operations following the incident, putting protocol activities on hold in an attempt to prevent further exploitation and to conduct a damage assessment.
Resolv’s development team stated that the collateral pool “remains fully intact,” emphasizing that “no underlying assets have been lost.” They described the breach as “isolated to USR issuance mechanics.”
Despite claims of underlying collateral being safe, current USR holders bore major losses. The sudden increase in token circulation diluted holdings, while heavy liquidation further drained the pools, resulting in immediate portfolio impacts for those exposed during the event.
Root Cause: Security Oversights and Audit Gaps
Blockchain analyst Andrew Hong traced the exploit to a privilege escalation enabled by a sensitive SERVICE_ROLE account. This account, managed via a single externally controlled wallet instead of a multisignature scheme, permitted unlimited token minting. The contract lacked vital protections such as price feed checks, transaction amount verification, and upper limits on token creation.
Security audits had previously covered other protocol segments—Resolv reported 14 separate audits by leading firms, a $500,000 Immunefi bounty, and ongoing contract monitoring. However, Pashov, a security firm with prior audit involvement, highlighted that the exploit source may have been a compromised private key, rather than flaws in the system’s core code architecture.
Cyvers CEO Deddy Lavid remarked that “audits alone are not enough,” underscoring the importance of real-time minting and supply monitoring.
The incident also illustrates a broader DeFi concern, with Immunefi indicating that the typical crypto protocol breach now sees damages around the same scale, and most major losses are concentrated among a small number of large attacks.
Multiple DeFi protocols responded quickly. Lido confirmed that funds in its Earn product were secure, Aave’s founder Stani Kulechov noted that their platform had no direct USR risk and confirmed that Resolv had begun repaying any outstanding obligations, and Morpho’s co-founder Merlin Egalite stated that only select vaults were impacted by USR exposure.
The exploit also carried downstream effects for other collateralized lending ecosystems. USR and wstUSR had been authorized as collateral on several platforms, leading to further liquidity strains as opportunistic traders leveraged discounted tokens to withdraw stablecoins. The Resolv insurance token RLP suffered potential impairment, with large positions held by Stream Finance possibly resulting in extended losses for investors.
In the aftermath, Resolv’s governance token slid by 8.5% over the 24-hour period, reflecting market uncertainty and shaken trust in the project’s operational security.
