On March 22, an attacker used $200K USDC to drain 11,409 ETH, about $23.7M, from Resolv by abusing a privileged minting role with no cap, no oracle checks, and no on-chain guardrails. USR crashed to $0.025 on Curve.
At 2:21 AM UTC on March 22, one wallet deposited $100,000 in USDC into Resolv's minting contract. Ninety minutes later, that wallet held 11,409 ETH, roughly $23.7 million, and USR was trading at $0.025 on Curve. The stablecoin that had sat at $0.9996 for months lost 97% of its peg in a single morning.
Resolv wasn't a fly-by-night protocol. It ran a delta-neutral yield strategy: hold ETH and BTC spot, short the same via perpetuals, collect funding rates and staking yield, pass that yield to USR holders. The dual-tranche design put USR as the senior layer and RLP as the junior absorber. At peak, $500M TVL. Fourteen audit engagements across five firms. A $500K Immunefi bug bounty. Abu Dhabi-based, $10M seed in April 2025 led by Cyber.Fund and Maven11, with Coinbase Ventures, Arrington Capital, and Animoca Ventures in the round. None of it mattered.
The Flaw and The Execution
USR minting ran on a two-step flow: requestSwap initiates the mint, completeSwap finalizes it. The separation was designed to allow off-chain validation before tokens were issued. The problem is what sat between those two steps. SERVICE_ROLE, the privileged account responsible for completing mints, was a single externally owned account with no maximum mint limits and no price-oracle checks. Analyst ilemi confirmed on-chain: the SERVICE_ROLE had always been a plain EOA while the admin was a multisig. Whatever the SERVICE_ROLE signed off on, the contract executed.
This is not a bug in the traditional sense. The code did what it was designed to do. The design assumed the SERVICE_ROLE could never be compromised. That assumption was the vulnerability. Fourteen audits reviewed the code. None flagged the "god mode" role as a critical risk, because audits check for bugs, not architectural trust assumptions. As D2 Finance put it: "Either the oracle was gamed, the off-chain signer was compromised, or the amount validation between request and completion is simply missing."
The attacker ran it to the limit. First pass: $100K USDC into the minting contract, SERVICE_ROLE completes the swap for 50 million USR, a 500x multiplier on a $100K deposit. Then a second pass: another $100K USDC, 30 million more USR. The tokens moved immediately to Curve and Uniswap, swapped for USDC and USDT, then converted to ETH. The wstUSR wrapper was used to optimize exit liquidity across pools with different depth profiles. USR was selling as low as 50 cents on some trades as liquidity and slippage worsened, with multiple failed transactions visible on-chain showing the urgency. Total extraction: 11,409 ETH, roughly $23.7 million. Funds are still moving.
USR crashed to a low of 2.5 cents on the USR/USDC pool on Curve, Resolv's most liquid pool with a 24-hour volume of $3.6 million. The Curve pool was hit first because it held the deepest liquidity, meaning the attacker could dump the most volume there before slippage made further sales economically inefficient.
RESOLV, the protocol's native governance token, dropped 6% to $0.054 on the news. USR partially recovered to around $0.85 shortly after, driven by opportunistic buyers and thin remaining liquidity, but has since drifted back. It's currently trading around $0.40. The 80 million unbacked tokens don't disappear because the price bounces. The supply overhang is real.
Resolv Labs stated the collateral pool "remains fully intact" with no underlying assets lost. Both things are technically true. The collateral backing legitimate USR is intact. The peg is not, because the market can't distinguish backed from unbacked tokens on-chain in real time.
The Blast Radius: DeFi Lending Takes Collateral Damage
USR and wstUSR were accepted as collateral on Morpho and Gauntlet-curated vaults. The second-order damage came from a simple arbitrage: buy USR at its discounted market price, deposit it as collateral at the hardcoded $1 oracle valuation, borrow USDC against it. Stablecoin liquidity drained from those vaults before anyone could react.
Euler and Haiku paused all allocations and strategies involving the stablecoin. Venus suspended USR trading. The RLP junior tranche, designed to absorb losses and protect USR holders, had roughly $38.6 million in circulation at pre-exploit prices. Stream Finance, which disclosed a $93 million loss in November 2025 after an external fund manager misappropriated assets, holds a 13.6 million RLP position on Morpho representing approximately $17 million in net exposure. Stream's depositors could face yet another significant loss.
The Red Flag Nobody Flagged
USR's market cap dropped from approximately $400 million in early February to just $100 million weeks before the attack. A 75% capital contraction in six weeks, largely unexplained.
Analysts are now asking whether institutional investors or insiders were reducing exposure ahead of a structural failure. No conclusion can be drawn from the data alone, but the pattern is documented, and the market was signaling something nobody acted on.
Meanwhile: fourteen audits, half a million dollars in bug bounties, a $10 million raise from credible crypto funds, and a single EOA held the ability to mint unlimited unbacked stablecoins with no on-chain guard. Resolv's security surface wasn't in the code. It was in the assumption that the off-chain signer would never be compromised. The timing lands badly. U.S. lawmakers reached an agreement in principle
If you find this helpful, feel free to follow us for future updates. ❤
PEPE0.00 3.86%
TON1.33 -1.02%
BNB644.63 1.53%
SOL92.20 1.13%
XRP1.42 -0.18%
DOGE0.10 2.66%
TRX0.31 -0.96%
ETH2168.29 0.42%
BTC71088.12 0.34%
SUI0.96 0.94%
