The Resolv Labs protocol suffered a major exploit on March 22, 2026. An unknown attacker exploited a vulnerability in the USR stablecoin minting smart contract, creating 80 million unbacked tokens in just two transactions. The stolen funds were converted into Ethereum, totaling approximately $23.7 million.
How the Hack Happened
The attack was executed in two stages. First, the hacker deposited approximately 100,000 USDC into the USR minting contract and received 50 million tokens in a single transaction - 500 times the normal exchange rate. A second transaction added another 30 million USR, bringing the total unbacked tokens to 80 million.
Analysts at D2 Finance determined that the root cause was a compromised privileged role in the smart contract. The so-called "service role" was controlled by a single externally owned account with no restrictions on minting volume and no price oracle verification. The contract checked only the minimum number of tokens to be minted but set no upper limit. Once the attacker gained access to the service key, they could specify any amount of USR - hundreds of times more than the actual collateral.
Aggressive Extraction Through DeFi
After obtaining 80 million unbacked USR, the hacker immediately began liquidation through multiple decentralized protocols. The tokens were swapped for USDC and USDT stablecoins across various platforms, then converted into Ethereum. According to on-chain analyst Ai Yi, the attacker purchased a total of 11,409 ETH worth approximately $23.7 million.
The massive USR sell-off instantly crashed the price on decentralized exchanges. On Curve Finance, the token dropped to an absolute low of $0.025 - a 97.5% loss from its $1 target price. The price later partially recovered to $0.85, but a full dollar peg restoration remains uncertain. The RESOLV governance token also declined 6% to $0.054.
What Is Resolv and How USR Works
Resolv is a DeFi protocol that issues the USR stablecoin pegged 1:1 to the US dollar. Unlike centralized stablecoins such as USDC or USDT, USR maintains its peg through over-collateralization with crypto assets - primarily ETH, staked Ethereum, and Bitcoin. This makes it a decentralized alternative, but also introduces additional risks related to smart contract security.
The minting mechanism relies on a special service key that determines the amount of USR for each deposit. This is where the critical vulnerability lay: the contract trusted this key without limits, and the key itself was stored on a single external wallet without multisignature protection. In essence, the security of all user assets depended on a single private key.
Team Response and Recovery Prospects
Resolv Labs promptly paused all protocol functions to prevent further exploitation. In a statement on X, the team noted that the collateral pool "remains fully intact" and no underlying assets were lost. This means the funds backing previously issued USR were not stolen - losses were borne by those who purchased unbacked tokens on the secondary market.
The investigation continues with participation from on-chain analysts PeckShield and Ai Yi, who were the first to detect suspicious activity. There is currently no information on whether the stolen funds can be recovered, as the attacker has already converted them into ETH.
Lessons for DeFi Security
The Resolv hack serves as yet another reminder of the risks posed by privileged keys in DeFi protocols. Using a single external wallet to control a critical token minting function without multisignature, timelocks, or upper limits represents a serious architectural vulnerability that could have been avoided.
The incident reveals the importance of layered security: multisig wallets for administrative functions, strict limits on minting volume per transaction, and mandatory price oracle verification. For users of decentralized stablecoins, the USR attack is another reason to carefully evaluate collateral mechanisms and smart contract security before committing capital.
Comments
Your email address will not be published. Required fields are marked *