Resolv USR Stablecoin Hit by Major Exploit
Early Sunday morning, a vulnerability exploit targeting the Resolv protocol rocked the DeFi market. Several blockchain security firms confirmed that the attacker exploited a flaw in the USR stablecoin minting contract, creating roughly 80 million unbacked USR tokens and extracting about $25 million in assets from the market.
The attack occurred around 02:21 UTC and was first detected by the on-chain monitoring account YieldsAndMore, which spotted abnormal transactions.
Attack Details: Small Deposits Yield Massive Token Output
On-chain transaction data shows the attacker initially deposited 100,000 USDC into Resolv’s USR Counter contract. Theoretically, this should have only returned the equivalent amount of USR.
However, the actual outcome was a severe anomaly:
- The first transaction minted about 50 million USR
- The second transaction minted another 30 million USR
The total output was around 500 times the expected value.
USR Price Collapses Rapidly
USR is a stablecoin pegged to the US dollar, but instead of fiat reserves, it uses a combination of ETH and BTC with a delta-neutral hedging strategy. When a large volume of unbacked tokens was minted, the market price quickly spiraled out of control.
Market reactions included:
- In the Curve Finance liquidity pool
- The price fell to $0.025 within 17 minutes
(Source: DEXSCREENER)
Although the price briefly rebounded to about $0.85, it failed to restore its $1 peg.
Attacker’s Fund Movements
The attacker’s address, starting with 0x04A2, conducted a series of arbitrage operations:
- Swapped the minted USR for USDC and USDT
- Sold these assets through multiple decentralized exchanges
- Ultimately converted the proceeds to ETH
On-chain data shows:
- The main wallet holds 11,409 ETH
- Valued at approximately $23.7 million
Another address still holds about $1.1 million in wstUSR.
Resolv’s Response: Collateral Assets Intact
After the incident surfaced, Resolv Labs announced on social media:
- All protocol functions have been suspended
- The collateral asset pool remains intact
- The issue is confined to the USR minting process
(Source: ResolvLabs)
Analysts noted that, although the collateral assets were not directly stolen, the market losses remain severe.
Inadequate Permission and Verification Mechanisms
On-chain analyst Andrew Hong identified the core issue as the SERVICE_ROLE permission account, which processes swap requests but is controlled by a standard EOA wallet instead of a multisig.
The minting contract also lacked several critical safeguards:
- No oracle price verification
- No cap on the amount minted
- No check on minting requests or execution amounts
DeFi investment firm D2 Finance outlined three possible causes:
- Manipulation of the price oracle
- Compromise of the offline signing account
- Absence of a minting amount verification mechanism
(Source: D2_Finance)
DeFi Ecosystem Ripple Effects
The USR collapse impacted not only token holders but also the DeFi lending market. USR and its staked version, wstUSR, had been used as collateral on platforms such as Morpho and Gauntlet.
Some traders took advantage of USR’s price dropping below $1:
- Bought USR at a discount
- Used it as collateral at the system’s fixed $1 valuation
- Borrowed USDC
This could quickly drain liquidity from lending pools.
Insurance Pool and Liquidity Layer Also at Risk
Resolv’s liquidity protection mechanism, the Resolv Liquidity Pool (RLP), is designed to absorb losses and protect USR. Prior to the attack, RLP’s circulating value was about $38.6 million, with the largest holder being yield protocol Stream Finance. Stream Finance previously suffered a $93 million loss from asset misappropriation in 2025 and now faces renewed risk.
Regulatory Pressure Mounts
This incident coincides with the US Congress debating stablecoin regulations, including the GENIUS Act, which aims to regulate yield-bearing stablecoins. The American Bankers Association has warned that such products could draw deposits away from traditional banks.
Conclusion
The Resolv USR incident underscores that stablecoin risks originate not only from collateral assets, but also from flaws in contract design and permission management. Even when underlying assets remain untouched, unchecked supply expansion and loss of market confidence can inflict significant losses. As the DeFi market grows, building robust monitoring, permission management, and risk control mechanisms will be essential for the evolution of stablecoins and on-chain finance.
