Resolv Private Key Stolen, $23 Million Lost; Morpho Confirms Main Protocol Safe

Decentralized Finance Protocol Resolv Labs disclosed on Sunday that attackers gained access to project private keys, gradually exchanged them for Ether, and stole approximately $23 million. In response to public concerns about the extent of Morpho protocol’s impact, Morpho co-founder Paul Frambot clarified that out of about 500 vaults, only 15 with large market exposures (over $10,000) were significantly affected.

Resolv Labs Vulnerability Analysis: The Attack Path of Private Key Theft

The core vulnerability in this attack was not the Delta stablecoin mechanism of Resolv Labs itself but a failure in infrastructure-level private key management. According to Chainalysis’s on-chain report, attackers accessed Resolv’s key management service on Amazon Web Services (AWS), successfully bypassed protocol logic, and, due to the lack of oracle checks and maximum minting limits in the minting contract, executed large-scale over-minting at very low cost.

The attack path was as follows: mint 80 million USR → exchange for staked version → exchange for USDC → purchase ETH and transfer out, ultimately resulting in about $23 million worth of ETH loss, with USR token holders directly bearing the impact of the valuation collapse. Resolv Labs then urgently shut down minting and exchange functions to prevent further losses.

Morpho’s Chain Reaction: Risk Transmission in Curator Mode

Morpho protocol uses a Curator model, allowing third-party management entities to customize the security parameters of lending pools and token lists. If issues arise, the risk is borne by the curator’s pool, not the Morpho protocol itself.

In this incident, the curators involved with USR exposure included Gauntlet, Re7 Labs, kpk, and 9summits. Chaos Labs founder Omer Goldberg pointed out that some curators’ automated liquidity services continued providing liquidity to the affected vaults hours after the vulnerability was discovered, further amplifying losses.

Key Data on Morpho’s Impact

• Total vaults: approximately 500
• Affected vaults (exposure over $10,000): about 15
• Affected vault types: mainly high-risk strategies using long-tail collateral assets
• Unaffected areas: low-risk Prime Vaults and all vaults not involving USR or Resolv-related assets

Morpho co-founder Merlin Egalite explicitly stated, “Morpho contracts have no vulnerabilities. They are secure and functioning as intended.” Paul Frambot also added that curators responded quickly to this challenging situation, the Morpho team provided assistance when needed, and they will continue collaborating with curators to improve existing tools.

Frequently Asked Questions

How was Resolv Labs’ USR stablecoin attacked?

Attackers did not directly target USR’s Delta neutral stable mechanism but gained access to Resolv Labs’ private keys on AWS, bypassed protocol logic, and exploited the lack of minting limits and oracle checks in the minting contract. They minted approximately 80 million USR with collateral worth about $100,000 to $200,000, then gradually converted to ETH and withdrew about $23 million.

How does Morpho’s curator model affect the scope of risk transmission in this incident?

Morpho protocol delegates risk decision-making to third-party curators, who can set security parameters for pools. The 15 affected vaults were high-risk vaults where curators chose to include USR as collateral. The core Morpho protocol itself has no vulnerabilities, and low-risk Prime Vaults and other vaults not involving USR were unaffected.

How should Morpho users respond to the ongoing impact of the Resolv incident?

Morpho co-founder Paul Frambot recommends users stay updated with the latest announcements from Resolv Labs and involved curators to monitor specific vault risk exposures. If holding vault shares related to USR or Resolv assets, closely track whether curators adjust risk management parameters.