Bear Market "Classic Script" Replays: Reviewing Resolv Labs' "Flash Liquidation" and USR Depegging Event

Written by: Glendon, Techub News

On March 22, DeFi protocol developer Resolv Labs, focused on creating decentralized interest-bearing stablecoins, was hacked. On-chain data shows that the attacker, whose address begins with “0x04A2,” initially deposited only 100,000 USDC but exploited a protocol vulnerability to mint 50 million USR stablecoins. The attacker then repeated the attack, using another 100,000 USDC to mint 30 million USR. During this period, Resolv Labs officially confirmed the attack via Twitter, stating that all protocol functions had been paused and recovery efforts were underway.

However, it was already too late. A total of 80 million USR, unbacked by any assets, had rapidly flooded the market, causing the stablecoin USR to depeg quickly. Additionally, due to market liquidity drying up, severe slippage occurred during trading, further accelerating USR’s decline. According to CoinMarketCap data, USR once depegged to about $0.06, a drop of over 94% (currently USR has rebounded to around $0.32 but remains in a “severely depegged” state). Notably, the attacker’s cash-out path was clear and swift, completing the entire process within hours. They converted the illegally minted USR into wstUSR, then sold large amounts on decentralized exchanges like Curve and Uniswap, exchanging for USDC and USDT, and subsequently swapped these stablecoins for approximately $25 million worth of Ethereum, ultimately executing a “flash raid” to launder the attack proceeds.

In the already sluggish market environment, Resolv Labs’ attack has once again shaken industry confidence, even being described by the crypto community as a “classic bear market script.” The root cause of the attack remains the same old issue: flawed token minting mechanism design.

Vulnerability Origin: The Triple Failures of the Minting Mechanism

First, it’s important to note that Resolv’s stablecoin system employs a dual-layer design. USR is a 1:1 USD-pegged stablecoin, minted by users depositing ETH or BTC. It uses a delta-neutral strategy, allowing the protocol to open equivalent short perpetual positions on ETH/BTC to hedge against price volatility, thereby maintaining USR’s stability. USR holders can earn a share of the protocol’s revenue and participate further in yield aggregation through DeFi protocols like Pendle and Sommelier.

At the same time, Resolv introduced the Resolv Liquidity Provider Token (RLP) as an “insurance pool” to absorb potential losses from hedging strategies, such as liquidations, slippage, and funding rate fluctuations. During the attack, RLP also suffered. According to CoinGecko, RLP’s price fell from $1.38 to $0.23, a decline of over 83%. Currently, RLP has recovered to $0.98.

How did Resolv Labs get hacked? According to analyses by security firms PeckShield and multiple on-chain analysts, the core issue lies in severe design flaws in the minting contract’s permission control and validation mechanisms. First, a critical permission control vulnerability existed. Normally, users mint USR by depositing collateral, with the minting amount pegged 1:1 to the collateral’s value. However, the attacker exploited the SERVICE_ROLE permission to bypass collateral valuation checks, directly setting an astronomical minting amount—effectively minting 80 million USR with only $200,000 USDC, achieving “super leverage.”

This flaw stems from the fact that SERVICE_ROLE has the power to directly determine the minting amount, representing a “superuser” permission. Since the protocol did not implement multisignature or decentralized signer networks but relied on a single or few signers, a key leak or compromise would immediately lead to system failure.

Second, the on-chain amount validation mechanism was a major security blind spot. Resolv’s minting contract fully trusts off-chain signers to specify the minting amount, without setting on-chain limits (e.g., a maximum of 1 million USR per transaction) or using oracles to verify collateral value and minting amounts in real-time. This means that if an attacker controls or compromises the off-chain signers, they can mint USR at will, regardless of collateral adequacy. This lack of validation opened the door for the attack.

Third, the delta-neutral strategy itself posed inherent risks. While Resolv used a delta-neutral approach to issue USR, the event revealed weaknesses in this design. The delta-neutral strategy tightly couples the minting logic with off-chain signatures and oracle data, which become the most vulnerable attack surfaces. If the off-chain signers or oracles malfunction or are compromised, the entire minting mechanism could collapse.

Early this morning, Resolv Labs issued a statement explaining the attack. The incident originated from unauthorized third-party actions, including targeted infrastructure intrusion and cyberattacks. The attacker gained illegal access through leaked private keys, leading to the unauthorized minting of approximately $80 million USR without collateral.

Resolv also disclosed that about 9 million USR tokens held by the attacker have been successfully burned. The current USR supply includes 102 million tokens existing before the incident and about 71 million newly minted illegal tokens. To mitigate losses and restore order, they plan to enable redemption of pre-attack USR today, starting with whitelisted users. They also emphasized that the underlying collateral assets remain unaffected, and they are tracking and attempting to control the illegal USR and other affected assets.

This is a preliminary remedial step for early users, showing the company’s efforts to reduce losses and recover funds. However, the incident has already triggered a chain reaction across the industry.

Chain Reactions and Lessons

The most immediate impact of the Resolv Labs incident is the severe depegging of USR and the decline of Resolv’s native token, RESOLV. RESOLV once dropped over 16% to $0.052. Many DeFi protocols were affected as well. The USR/USDC liquidity pool on Curve Finance collapsed instantly; the USR collateralized lending markets on Morpho, which support USR and wstUSR, were nearly emptied, with many users facing forced liquidations due to USR’s depeg.

However, Morpho co-founder Paul Frambot tweeted today that the impact of the Resolv attack on Morpho was not as severe as rumors suggested. The main effects were on USR, RPL, and related assets used as collateral in these markets. Among about 500 Morpho vaults with over $10,000 in deposits, roughly 15 had significant exposure to the affected markets (over $10,000).

Additionally, other protocols integrated with Resolv or ecosystem partners have taken emergency measures to protect their users. For example, DeFi risk management firm Gauntlet emphasized that Gauntlet USD Alpha does not hold USR or RLP positions, and its vaults are unaffected. They are working with Resolv on solutions and developing compensation plans for remaining funds.

DeFi protocol Fluid stated that it has secured short-term loans to cover all current bad debts, ensuring user funds’ safety. Aave founder Stani.eth also tweeted that Aave has no exposure to Resolv’s stablecoin USR; Resolv only acts as a liquidity provider supplying assets to Aave, and those assets remain safe. Other protocols that use USR as a yield-bearing asset (like Pendle and Sommelier) have not suffered direct losses but have experienced indirect impacts on yields and asset values.

This again highlights a harsh reality in DeFi: the failure of one protocol can trigger a “chain collapse” across multiple protocols, especially when a widely used asset as collateral is compromised. Even unaffected protocols can suffer reputational and operational damage due to associated risks.

During the incident, the attacker sold the illegally minted 80 million USR in batches into liquidity pools on Curve, Uniswap, and other DEXs, causing sharp price swings. The collapse in USR’s value not only caused impermanent loss for liquidity providers but also resulted in substantial capital losses, as most of their holdings were in depegged USR. This exposed structural weaknesses in emerging liquidity pools with low trading volume or insufficient depth, which lacked the capacity to absorb large sell-offs, leading to rapid price distortions and systemic risks.

From a broader perspective, the Resolv Labs incident is not just a single project’s security failure but a heavy blow to crypto investor confidence, potentially triggering a new wave of stablecoin trust crises. As stablecoins underpin DeFi activity, their depegging and security issues threaten the entire ecosystem’s stability, deepening doubts about the long-term viability of algorithmic and interest-bearing stablecoins. It may also prompt risk-averse investors to withdraw from high-risk DeFi protocols and shift to more mature assets or safer strategies.

This incident serves as a wake-up call for the industry, especially amid the ongoing bear market and low risk appetite. The core issue exposed—over-reliance on off-chain signatures without on-chain validation—is seen as a “trust model collapse.” It also underscores the need for protocols to adopt multi-signature controls, integrate decentralized oracle networks like Chainlink or Pyth for real-time on-chain validation, and embed automated circuit breakers to enhance security and resilience.

Furthermore, the delayed emergency response—Resolv only paused the protocol two hours after the attack—highlighted deficiencies in their crisis management. Future protocols should prioritize establishing rapid, automated incident response systems.

Conclusion

As of writing, Resolv Labs has not announced a comprehensive compensation plan. There is no clear plan yet for affected users holding USR or those suffering losses from depegging, nor for RLP token holders impacted by insurance pool dilution. The market remains closely watching whether further restitution will be provided.

This attack prompts reflection on whether DeFi’s “decentralization” is a technological revolution or a trust model redefinition. When innovation and security are out of balance, perhaps only returning to the fundamental principle of “least trust” can help find a sustainable balance between efficiency and risk.