Contents
Key Takeaways
- A malicious actor leveraged a vulnerability in Resolv’s USR minting mechanism to generate approximately 80 million tokens without proper collateral, starting with only $200,000 USDC
- The exploiter successfully extracted 11,409 ETH, valued at approximately $25 million
- USR’s value plummeted to $0.025 on Curve Finance before stabilizing around $0.85, still well below its intended $1 peg
- Resolv immediately halted all protocol operations; while the team claims core collateral remains secure, USR token holders suffered significant losses from supply inflation
- Major DeFi platforms like Morpho, Lido, and Aave responded swiftly to assess and mitigate their potential exposure
A significant security breach hit Resolv’s USR stablecoin protocol on Sunday, allowing an exploiter to mint approximately 80 million unbacked tokens and extract roughly $25 million worth of Ether in a sophisticated attack.
The exploitation commenced around 2:21 a.m. UTC when the attacker initiated a transaction depositing 100,000 USDC into Resolv’s USR Counter contract. In return, they received 50 million USR tokens—approximately 500 times the expected amount. A follow-up transaction generated an additional 30 million tokens.
The malicious actor proceeded to liquidate the newly minted USR across various decentralized exchanges, exchanging them for USDC and USDT before consolidating the proceeds into ETH. Current blockchain data shows the attacker’s address containing 11,409 ETH, valued at approximately $23.7 million at current prices.
USR, intended to maintain a stable $1 valuation, collapsed to just $0.025 on Curve Finance merely 17 minutes after the initial exploit transaction. While the token experienced a partial rebound to roughly $0.85, it remained significantly depegged as of Sunday morning.
In a statement posted to X, Resolv Labs confirmed it had suspended all protocol operations. The development team emphasized that the collateral pool “remains fully intact” with “no underlying assets” compromised. They characterized the vulnerability as “isolated to USR issuance mechanics.”
Despite these assurances, blockchain analysts highlighted that existing USR holders sustained substantial damage. The sudden introduction of 80 million new tokens significantly diluted the circulating supply, while the attacker’s mass selling activity drained available liquidity from pools. USR holders during the attack window experienced immediate portfolio devaluation.
Security Analysis Points to Access Control Weaknesses
Blockchain analyst Andrew Hong identified the vulnerability’s origin as inadequate security around a privileged account designated as the SERVICE_ROLE. This critical account was controlled by a single externally owned account rather than a multisignature wallet. The minting contract implementation lacked essential safeguards including oracle verification, amount validation protocols, and maximum mint thresholds.
Pashov, a security firm that conducted an audit of Resolv’s staking module in July 2025, informed Cointelegraph that preliminary findings suggest the breach stemmed from a compromised private key rather than an inherent protocol architecture flaw.
Cyvers CEO Deddy Lavid emphasized: “Audits alone are not enough. If you’re not monitoring minting and supply in real time, you’re blind when it matters most.”
Resolv’s official website documents 14 separate audit engagements conducted by five different security firms, a $500,000 bug bounty program hosted on Immunefi, and ongoing smart contract monitoring infrastructure.
Rapid Response from DeFi Ecosystem
Numerous decentralized finance platforms took immediate action following the exploit revelation. Lido confirmed that user funds deposited in Lido Earn remained secure. Aave founder Stani Kulechov clarified that the platform maintained no direct USR exposure and noted Resolv was actively repaying outstanding debt. Morpho co-founder Merlin Egalite disclosed that USR exposure was limited to specific vault configurations.
Contagion Concerns Across Lending Platforms
Both USR and its staked derivative wstUSR had been integrated as accepted collateral across several platforms including Morpho and Gauntlet. Market observers noted concerning arbitrage opportunities where traders potentially acquired discounted USR and posted it as collateral at the $1 valuation to borrow USDC, effectively draining vault liquidity.
Resolv’s junior insurance tranche product, RLP, faces potential additional losses from the incident. Stream Finance, holding a substantial 13.6 million RLP position valued around $17 million, could expose its user base to cascading losses. Stream had previously disclosed a $93 million loss event in November 2025.
The RESOLV governance token experienced approximately 8.5% depreciation in the 24-hour period following the security breach.
This incident aligns with broader industry trends. A recent Immunefi report revealed the average cryptocurrency exploit now results in approximately $25 million in losses, with the five largest breaches in 2024–2025 representing 62% of total stolen funds across the sector.
