Resolv said attackers minted 80M USR and extracted about $25M in ETH before services were paused and access revoked.
Resolv has released new details about the March 22, 2026 security breach. The protocol said attackers minted 80 million USR through unauthorized transactions.
The minted tokens were then swapped into ETH through decentralized exchanges. Resolv said the total value taken was about $25 million.
Attack Began Outside Resolv’s Core Systems
Resolv said the attack started outside its direct infrastructure. A contractor had previously worked on a separate third-party project.
That project was later compromised, and a related GitHub credential was exposed. The attackers then used that credential to enter some Resolv repositories.
After gaining access, the attackers placed a harmful workflow inside the repository environment.
Resolv said the workflow stole credentials without triggering outbound traffic alerts.
The attackers later removed their own access from the repository. That step appears to have reduced traces after the initial intrusion.
The stolen credentials opened a path into Resolv’s cloud environment. From there, the attackers reviewed services and searched for more keys.
They also tried to gather access to third-party integrations. Resolv described the event as a multi-stage attack across several systems.
Signing Access Enabled the 80M USR Mint
The attackers’ goal was to gain signing authority for minting operations. Resolv said early attempts were blocked by existing access controls.
However, the attackers kept moving through the cloud system. They later found a route through a higher-level infrastructure role.
According to the report, that role could modify the key access policy. Once the policy changed, the attackers gained signing authority.
That gave them the ability to complete minting actions. The Counter contract was then used for the unauthorized transactions.
The first illicit mint took place at 02:21:35 UTC. Resolv said that the transaction created 50 million USR.
The attackers then began swapping the tokens into ETH across many wallets. A second mint followed at 03:41 UTC and created another 30 million USR.
Resolv said its monitoring system detected the first unusual transaction in real time. The team then started preparing a response across backend and on-chain systems.
Because the breach involved infrastructure access, the team needed to identify the route used. That review shaped the first containment steps.
Read Also:
Resolv Recovery and Security Review
The team halted backend services before pausing the smart contracts. At 05:16 UTC, the team paused all contracts with pause functions.
At 05:30 UTC, the security team revoked the compromised credentials across the cloud system. Resolv said logs showed attacker activity as late as 05:15 UTC.
After containment, the protocol began on-chain recovery actions. Resolv said about 46 million USR has been neutralized.
The protocol used direct burns and blacklist functions after the required timelock. The investigation into the remaining illicitly minted supply is still active.
Resolv is compensating pre-hack USR holders on a 1:1 basis. The team has already processed most eligible redemptions, while it continues handling the rest.
At the same time, most protocol operations remain paused until further notice. The company said it is prioritizing collateral safety and redemption processing.
The report said the breach was not caused by one isolated weakness. Instead, the attackers chained together smaller gaps across third parties and cloud permissions.
Resolv now plans on-chain mint caps and oracle price checks. It also plans automated pause systems and tighter GitHub access rules.
Source: https://www.livebitcoinnews.com/inside-resolvs-25m-crypto-breach-and-the-80m-usr-mint-attack/
