Key Takeaways
- A sophisticated exploit targeting Resolv’s USR minting mechanism enabled hackers to generate approximately 80 million unbacked tokens using only $200,000 in USDC
- Hackers successfully extracted 11,409 ETH valued at approximately $25 million through coordinated swap transactions
- The USR stablecoin plunged to $0.025 on Curve Finance before staging a partial comeback to roughly $0.85
- Resolv halted all protocol operations while asserting its collateral reserves remained untouched, though existing USR holders suffered significant losses due to token supply inflation
- Major DeFi platforms such as Morpho, Lido, and Aave quickly issued statements addressing their risk exposure
A critical security breach in Resolv’s USR stablecoin infrastructure resulted in the theft of approximately $25 million worth of Ethereum on Sunday, after an attacker successfully manipulated the protocol’s minting contract to generate tens of millions of unbacked tokens.
The exploitation commenced around 2:21 a.m. UTC. The malicious actor deposited 100,000 USDC into Resolv’s USR Counter contract and received an astonishing 50 million USR in return—a yield roughly 500 times above the anticipated amount. A follow-up transaction generated an additional 30 million tokens.
Following the minting phase, the attacker systematically exchanged the fraudulently created USR for USDC and USDT through various decentralized exchanges, ultimately consolidating the proceeds into ETH. Current blockchain records show the attacker’s wallet containing 11,409 ETH, valued at approximately $23.7 million as of this writing.
USR, engineered to maintain a stable $1 valuation, plummeted to just $0.025 on Curve Finance merely 17 minutes after the initial unauthorized mint. While the token managed to climb back toward $0.85, it remained significantly depegged as of Sunday morning.
Resolv Labs announced via X that all protocol operations had been suspended. The development team emphasized that the collateral pool “remains fully intact” with “no underlying assets” compromised. They characterized the incident as “isolated to USR issuance mechanics.”
Despite these reassurances, blockchain analysts highlighted that current USR holders sustained substantial damage. The injection of 80 million new tokens severely diluted the existing supply, while the attacker’s massive sell-off eliminated available pool liquidity. Any user holding USR during the attack experienced instant devaluation.
Inadequate Access Permissions Pinpointed as Primary Vulnerability
Blockchain security analyst Andrew Hong traced the breach to a privileged administrative account designated as the SERVICE_ROLE. This critical account was controlled by a single externally owned address rather than a secure multisignature wallet. The minting contract lacked oracle verification, amount validation protocols, or maximum mint thresholds.
Security firm Pashov, which conducted an audit of Resolv’s staking infrastructure in July 2025, informed Cointelegraph that the fundamental issue appeared to stem from private key compromise rather than inherent protocol architecture flaws.
Cyvers CEO Deddy Lavid emphasized: “Audits alone are not enough. If you’re not monitoring minting and supply in real time, you’re blind when it matters most.”
Resolv’s official website documents 14 separate audit engagements conducted by five different security firms, a $500,000 bug bounty program hosted on Immunefi, and ongoing smart contract surveillance.
DeFi Platforms Scramble to Mitigate Contagion Risk
Numerous DeFi ecosystems responded swiftly following the exploit. Lido confirmed that user assets within Lido Earn remained secure. Aave founder Stani Kulechov clarified the platform maintained no direct USR exposure and confirmed Resolv was actively repaying outstanding obligations. Morpho co-founder Merlin Egalite disclosed that only specific vaults carried exposure.
Ripple Effects Across Lending Protocols
Both USR and its staked derivative wstUSR functioned as accepted collateral across platforms including Morpho and Gauntlet. Security analysts observed that opportunistic traders likely purchased discounted USR following the crash and borrowed USDC against it at the $1 oracle valuation, effectively depleting liquidity from those lending vaults.
Resolv’s subordinated insurance layer, RLP, now confronts potential capital losses. Stream Finance, maintaining a 13.6 million RLP position valued at roughly $17 million, may expose its depositor base to cascading losses. Stream previously reported a $93 million loss in November 2025.
The RESOLV governance token declined approximately 8.5% during the 24-hour period following the security breach.
The Resolv incident represents a continuation of escalating exploit trends. A recent Immunefi analysis revealed the average cryptocurrency hack now inflicts approximately $25 million in damages, with the five largest exploits during 2024–2025 representing 62% of total stolen assets.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
