Key Highlights
- A malicious actor leveraged a vulnerability in Resolv’s USR minting mechanism, generating approximately 80 million tokens without proper collateral using just $200,000 USDC
- The exploiter successfully extracted 11,409 ETH valued at approximately $25 million through the attack
- The USR stablecoin plummeted to $0.025 on Curve Finance before staging a partial rebound to roughly $0.85
- Resolv halted all protocol operations; while the collateral pool reportedly remained secure, USR token holders experienced significant losses due to supply inflation
- Major DeFi platforms including Morpho, Lido, and Aave took swift action to assess and mitigate their exposure
A critical security vulnerability in Resolv’s USR stablecoin minting infrastructure was exploited Sunday, enabling an attacker to generate approximately 80 million unbacked tokens and escape with roughly $25 million worth of Ethereum.
The breach commenced around 2:21 a.m. UTC. The perpetrator initiated the attack by depositing 100,000 USDC into Resolv’s USR Counter contract, receiving an abnormal return of 50 million USR tokens—approximately 500 times the expected amount. A follow-up transaction produced an additional 30 million tokens.
Following the unauthorized minting, the attacker proceeded to exchange the newly created USR for USDC and USDT through various decentralized trading platforms, ultimately consolidating all proceeds into ETH. The attacker’s address currently contains 11,409 ETH, valued at approximately $23.7 million at current market rates.
The USR token, engineered to maintain a $1 peg, experienced a catastrophic decline to $0.025 on Curve Finance just 17 minutes after the initial unauthorized mint. While the token subsequently climbed back to approximately $0.85, it failed to fully restore its dollar peg by Sunday morning.
Resolv Labs announced via X that all protocol operations had been suspended. The development team confirmed that the collateral pool “remains fully intact” with “no underlying assets” compromised. They characterized the incident as “isolated to USR issuance mechanics.”
Despite these reassurances, blockchain analysts emphasized that existing USR holders suffered substantial damage. The influx of 80 million newly minted tokens severely diluted the circulating supply, while the attacker’s aggressive selling activity depleted available liquidity pools. All USR holders at the time of the breach experienced immediate financial losses.
Inadequate Access Controls Pinpointed as Primary Vulnerability
Blockchain security analyst Andrew Hong identified the exploitation vector as a privileged account designated SERVICE_ROLE. This critical account was controlled by a single externally owned account rather than a multisignature wallet. The minting contract lacked oracle verification, amount validation mechanisms, and maximum minting thresholds.
Security firm Pashov, which conducted an audit of Resolv’s staking infrastructure in July 2025, informed Cointelegraph that the fundamental issue appeared to stem from a compromised private key rather than an architectural flaw in the protocol itself.
Cyvers CEO Deddy Lavid emphasized: “Audits alone are not enough. If you’re not monitoring minting and supply in real time, you’re blind when it matters most.”
Resolv’s official website documents 14 separate audit engagements conducted by five distinct security firms, a $500,000 bug bounty program hosted on Immunefi, and ongoing smart contract surveillance.
DeFi Platforms Act Swiftly to Minimize Exposure
Numerous DeFi protocols responded rapidly following the security breach. Lido confirmed that user assets in Lido Earn remained secure. Aave founder Stani Kulechov stated that the platform maintained no direct USR exposure and that Resolv was in the process of repaying outstanding debt. Morpho co-founder Merlin Egalite clarified that only specific vaults contained exposure to the compromised asset.
Downstream Risks Across Lending Ecosystems
Both USR and its staked derivative wstUSR were recognized as acceptable collateral on platforms including Morpho and Gauntlet. Market analysts observed that some traders may have acquired USR at its severely discounted price while borrowing USDC against it at the $1 valuation, effectively draining available liquidity from affected vaults.
Resolv’s junior insurance tranche, RLP, also faces potential financial impact. Stream Finance, maintaining a 13.6 million RLP position valued at roughly $17 million, could expose its depositors to additional losses. Stream previously reported a $93 million loss in November 2025.
The RESOLV governance token declined approximately 8.5% in the 24-hour period following the security incident.
The Resolv breach reflects a broader pattern in the cryptocurrency sector. According to a recent Immunefi report, the average cryptocurrency hack now results in approximately $25 million in losses, with the five largest exploits during 2024–2025 representing 62% of all stolen cryptocurrency funds.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
