Resolv USR hack revives an old DeFi flaw as attackers extract about $25 million and contagion spreads across DeFi lending

The exploit centered on Resolv’s USR mint flow, which used a two-step process involving an off-chain signer. A user deposited USDC via a requestSwap function, and a privileged key with SERVICE_ROLE authorized how much USR to mint through completeSwap.

The critical weakness was that the contract enforced a minimum amount out but did not set an upper bound. As a result, if the signing key approved an excessively large mint amount, the contract would still execute it.

How the inflated mint was executed

The attacker allegedly compromised Resolv’s AWS Key Management Service access and used the signer to authorize roughly 80 million USR against deposits reportedly in the low six figures. On-chain records cited by multiple analysts show two rapid mints: one for 50 million USR and another for 30 million USR.

Security researchers said the incident was not an exotic smart-contract edge case. Instead, they pointed to a privileged mint design combined with weak operational security and missing issuance limits. One analyst summarized the issue as the system behaving as designed—making the design itself dangerous.

Audits did not prevent the core risk

Resolv had reportedly undergone multiple audits, but repeated reviews did not eliminate the structural risk. The reporting emphasized that audit counts are not a substitute for redesigning unsafe architecture or fully hardening key management.

A detail highlighted in the reporting was that the admin role had multisig protection, while the mint-signing role did not. Researchers argued this was the reverse of what risk management would typically require: if a single key can create system liabilities at scale, that key is a “crown jewel,” and leaving it as a standard externally owned account increases exposure.

From minting to market impact

After minting the inflated USR balance, the attacker reportedly did not sell everything at once. The wallet moved through wstUSR, the wrapped staked version, and then rotated liquidity through Curve DAO, Uniswap, and Kyber Network Crystal into Ethereum.

The wallet tied to the exploit reportedly ended up holding about 11,400 ETH, valued at roughly $24 million around the time the attack was analyzed.

Resolv’s backing pool of BTC and ETH was not immediately drained, according to the reporting. However, the collateral’s survival did not prevent a credibility shock: once users stopped believing redeemability and market price aligned, the peg broke.

Contagion through stale pricing and collateral overvaluation

The second failure involved lending protocols that continued to value USR or wstUSR near $1 even as market prices fell sharply. The broader contagion was described as a familiar DeFi pattern: treating a depegged stablecoin as if nothing had changed.

Once secondary market prices diverge from oracle values, participants can buy discounted collateral, post it at an inflated on-chain valuation, borrow stronger assets such as USDC, and leave bad debt behind.

Chaos Labs’ Omer Goldberg highlighted this dynamic publicly, noting that wstUSR was still being marked around $1.13 in at least one setup while trading much lower in the market. That pricing gap was described as creating an opportunity for fast actors to extract value.

The reporting also noted that similar mechanics have appeared repeatedly across DeFi over the past year plus, with the same exploit path recurring: depeg, stale oracle, overborrow, and socialized losses. It cited Morpho, Euler, and Fluid as examples of protocols that have had to consider this risk class, even as markets continued listing collateral that could fail faster than pricing systems could react.

Why the risk keeps recurring

The article attributed the persistence of this problem to incentives around yield-bearing stablecoins. These products are viewed as capital efficient and “sticky,” lending protocols accept them because they expand collateral options, and integrators benefit from additional yield that can raise TVL while the peg holds.

What is often underpriced, the reporting argued, is reflexivity: when a synthetic or wrapped dollar product depends on off-chain operations, special roles, redemption assumptions, and secondary market liquidity, it becomes a layered risk product rather than plain vanilla collateral.

Broader takeaway and watchpoints

Resolv’s exploit was framed as more than a single hack headline—an example of how one compromised key can spread across DeFi when risk systems are built for normal conditions rather than failure modes.

The immediate watchlist described in the reporting includes whether USR has any credible recovery path, whether affected protocols can fully ring-fence bad debt, and whether lending markets tighten standards for yield-bearing stable collateral.

The broader takeaway was summarized as follows: if a token claims to be “stable” but relies on trust in off-chain actors, wrappers, and lagging oracles, it should be treated as risk collateral rather than digital cash.