An attacker exploited a vulnerability in Resolv’s USR stablecoin minting contract on March 22, 2026, creating approximately 80 million unbacked tokens from roughly $200,000 in USDC and extracting an estimated $25 million, causing USR to crash to $0.025 on Curve before partially recovering to around $0.85.
The exploit stemmed from a privileged minting role controlled by a single externally owned account (EOA) without mint limits or oracle validation, allowing the attacker to mint 50 million USR in one transaction and 30 million in another. Resolv Labs paused all protocol functions following the incident and stated that its collateral pool “remains fully intact” with “no underlying assets” lost, though existing USR holders faced immediate losses from supply dilution.
The attacker converted the minted stablecoins into approximately 11,409 ETH (worth roughly $23.7 million) and holds an additional $1.1 million in wrapped USR tokens.
Attack Mechanics and Technical Vulnerabilities
Exploit Timeline
The attack began around 2:21 a.m. UTC on March 22, with the first transaction showing the attacker depositing 100,000 USDC into Resolv’s USR Counter contract and receiving 50 million USR in return—approximately 500 times the expected amount. A second transaction minted an additional 30 million USR. Within 17 minutes of the first mint, USR dropped to $0.025 on its most liquid Curve Finance pool.
Root Cause: Weak Access Controls
Onchain analyst Andrew Hong attributed the breach to the protocol’s SERVICE_ROLE, a privileged account that completes swap requests. Critical vulnerabilities included:
Single EOA control: The SERVICE_ROLE was controlled by a standard externally owned account rather than a multisignature wallet
No mint limits: The minting contract lacked maximum mint limits
No oracle validation: No oracle checks were implemented to verify pricing or collateral backing
Missing amount validation: No validation between mint requests and completions
DeFi fund D2 Finance outlined three possible explanations for the exploit: oracle manipulation, compromise of the off-chain signer, or absence of amount validation between mint request and completion.
Security Post-Mortem Context
Resolv’s website touted 14 audit engagements from five firms, a $500,000 Immunefi bug bounty, and continuous smart contract monitoring. Despite these measures, the protocol remained vulnerable to what security experts describe as a “blind spot” in security coverage—sensitive keys and credentials that do not hold funds directly but can be used to access them.
Ido Sofer, CEO of key management firm Sodot, noted: “This ties in to a growing trend of attacks that are focusing on the blind spot of security teams - sensitive keys and credentials that do not hold the funds directly, but can be used to access the funds.”
Market Impact and User Losses
USR Price Collapse and Recovery
USR, a dollar-pegged stablecoin that uses a delta-neutral hedging strategy backed by ETH and BTC rather than fiat reserves, crashed to $0.025 on Curve within 17 minutes of the first mint. The token later recovered to approximately $0.85 but had not restored its peg as of Sunday morning.
Liquidity and Collateral Damage
The attack created 80 million new tokens, diluting existing supply. The attacker’s selling of minted USR for USDC, USDT, and ultimately ETH obliterated pool liquidity. Anyone holding USR at the time of the exploit faced immediate losses.
The depeg cascaded into DeFi lending markets. USR and its staked derivative wstUSR were accepted as collateral on platforms including Morpho and Gauntlet. Opportunistic traders reportedly bought USR at its discounted market price and borrowed USDC against it at the hardcoded $1 valuation, draining stablecoin liquidity from affected vaults.
RLP Insurance Layer Exposure
The damage may extend to Resolv’s junior tranche, the Resolv Liquidity Pool (RLP), which serves as an insurance layer absorbing losses to protect USR holders. YieldsAndMore noted that RLP had approximately $38.6 million in circulation at pre-exploit prices. The largest RLP holder is Stream Finance, the yield protocol that disclosed a $93 million loss in November 2025 after an external fund manager misappropriated assets. Stream holds a 13.6 million RLP position on Morpho representing approximately $17 million in net exposure, meaning its depositors could face another significant loss.
Protocol Background and Industry Context
Resolv Overview
Abu Dhabi-based Resolv raised a $10 million seed round in April 2025 led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, Arrington Capital, and Animoca Ventures. Incubated through Delphi Labs, the protocol offered yield through funding rate arbitrage and a dual-tranche system pairing USR with the risk-bearing RLP insurance layer.
Prior to the attack, USR’s market cap had already declined from approximately $400 million in early February to roughly $100 million. The RESOLV governance token fell approximately 8.5% following the exploit.
2026 DeFi Exploit Trends
The Resolv incident adds to a growing series of crypto exploits in early 2026:
January 2026: Truebit lost $26.6 million after an attacker targeted a vulnerability in a smart contract deployed five years ago
January 2026: Makina Finance lost roughly $5 million from a stablecoin pool after a flash loan oracle manipulation attack
An Immunefi report published last week found the average crypto hack now costs about $25 million, with the top five exploits in 2024-2025 accounting for 62% of all stolen funds.
Regulatory Context
The timing of the exploit coincides with active U.S. legislative debates on yield-bearing stablecoin regulation under the GENIUS Act. The American Bankers Association has warned that such products could draw deposits away from traditional banks, while key senators reached an “agreement in principle” on stablecoin yield treatment on March 20, 2026.
Frequently Asked Questions
How did the Resolv USR exploit work?
The attacker exploited a vulnerability in Resolv’s minting contract where a privileged role (SERVICE_ROLE) was controlled by a single externally owned account with no mint limits, oracle validation, or amount checks. The attacker deposited 100,000 USDC and received 50 million USR (500x the expected amount), then minted an additional 30 million USR in a second transaction, creating approximately 80 million unbacked tokens.
Did Resolv lose its collateral backing?
Resolv Labs stated that its collateral pool “remains fully intact” with “no underlying assets” lost. However, this assertion understates the damage because the attack took the form of supply inflation rather than direct theft of backing assets. The 80 million new tokens diluted existing USR supply, and the attacker’s selling obliterated pool liquidity, causing immediate losses for USR holders.
What was the total financial impact of the exploit?
The attacker extracted approximately $25 million, converting minted USR into 11,409 ETH (worth roughly $23.7 million) and holding an additional $1.1 million in wrapped USR tokens. USR holders faced losses from supply dilution, and DeFi lending platforms accepting USR as collateral experienced liquidity drains as traders exploited the depeg to borrow against inflated valuations.
