Resolv USR Stablecoin Exploit: $25M Stolen as DeFi Protocols Rush to Contain Damage

TLDR

• An attacker exploited Resolv’s USR minting contract, creating ~80 million unbacked tokens from just $200,000 in USDC
• The attacker converted the tokens into 11,409 ETH worth roughly $25 million
• USR crashed to $0.025 on Curve Finance before partially recovering to around $0.85
• Resolv paused all protocol functions; its collateral pool is said to be intact, but USR holders faced immediate losses from supply dilution
• DeFi protocols including Morpho, Lido, and Aave moved to clarify or limit their exposure

On Sunday, an attacker exploited a flaw in the minting contract of Resolv’s USR stablecoin, creating around 80 million unbacked tokens and walking away with roughly $25 million in Ether.

The attack started at approximately 2:21 a.m. UTC. The attacker deposited 100,000 USDC into Resolv’s USR Counter contract and received 50 million USR back — about 500 times more than expected. A second transaction minted another 30 million tokens.

The attacker then swapped the minted USR for USDC and USDT across decentralized exchanges, then converted everything into ETH. The attacker’s wallet holds 11,409 ETH, worth about $23.7 million at the time of publication.

USR, which is designed to hold a $1 peg, dropped to $0.025 on Curve Finance within 17 minutes of the first mint. It later recovered to around $0.85 but had not fully restored its peg by Sunday morning.

However, analysts noted that existing USR holders were still hurt. The 80 million new tokens diluted the supply, and the attacker’s selling wiped out pool liquidity. Anyone holding USR during the attack faced immediate losses.

Weak Access Controls Identified as Root Cause

Onchain analyst Andrew Hong attributed the breach to a privileged account called the SERVICE_ROLE. That account was controlled by a single externally owned account, not a multisig. The minting contract had no oracle checks, no amount validation, and no maximum mint limits.

Security firm Pashov, which audited Resolv’s staking module in July 2025, told Cointelegraph that the root cause appeared to be a private key compromise rather than a flaw in protocol design.

Resolv’s website lists 14 audit engagements from five firms, a $500,000 bug bounty on Immunefi, and continuous smart contract monitoring.

DeFi Protocols Move to Limit Exposure

Multiple DeFi platforms moved quickly after the exploit. Lido said user funds in Lido Earn were safe. Aave founder Stani Kulechov said the platform had no direct USR exposure and that Resolv was repaying its debt. Morpho co-founder Merlin Egalite said only certain vaults had exposure.

Cascading Risks in Lending Markets

USR and its staked version wstUSR were accepted as collateral on platforms including Morpho and Gauntlet. Analysts noted that traders may have bought USR at its discounted price and borrowed USDC against it at the $1 valuation, draining liquidity from those vaults.

Resolv’s junior insurance tranche, RLP, also faces potential losses. Stream Finance, which holds a 13.6 million RLP position worth roughly $17 million, could expose its depositors to further losses. Stream previously disclosed a $93 million loss in November 2025.

The RESOLV governance token fell about 8.5% in the 24 hours following the exploit.

The Resolv incident is part of a wider trend. An Immunefi report last week found the average crypto hack now costs about $25 million, with the top five exploits in 2024–2025 accounting for 62% of all stolen funds.

The post Resolv USR Stablecoin Exploit: $25M Stolen as DeFi Protocols Rush to Contain Damage appeared first on CoinCentral.