Key Points
- A security breach in Resolv’s USR minting contract enabled creation of approximately 80 million unbacked tokens using only $200,000 in USDC
- The exploiter successfully extracted 11,409 ETH valued at roughly $25 million
- USR value plummeted to $0.025 on Curve Finance before climbing back to approximately $0.85
- Resolv suspended all protocol operations; the team reports collateral pool remains secure, though USR token holders experienced losses due to supply inflation
- Major DeFi platforms including Morpho, Lido, and Aave issued statements regarding their involvement
A security vulnerability in Resolv’s USR stablecoin minting contract enabled an exploiter to generate approximately 80 million unbacked tokens this Sunday, resulting in the extraction of roughly $25 million worth of Ether.
The breach commenced around 2:21 a.m. UTC. The exploiter initiated the attack by depositing 100,000 USDC into Resolv’s USR Counter contract, receiving 50 million USR in return — approximately 500 times the anticipated amount. A follow-up transaction generated an additional 30 million tokens.
Following the minting process, the exploiter exchanged the newly created USR for USDC and USDT through decentralized exchanges, subsequently converting these assets into ETH. The exploiter’s wallet currently contains 11,409 ETH, valued at approximately $23.7 million at press time.
USR, engineered to maintain a $1 valuation, collapsed to $0.025 on Curve Finance just 17 minutes after the initial minting transaction. The token subsequently climbed to around $0.85 by Sunday morning, remaining below its intended peg.
Resolv Labs announced via X that all protocol functions had been suspended. The development team confirmed that the collateral pool “remains fully intact” with “no underlying assets” compromised. The vulnerability was characterized as “isolated to USR issuance mechanics.”
Analysts observed that current USR holders sustained losses despite the preserved collateral. The creation of 80 million additional tokens inflated the supply, while the exploiter’s sales depleted pool liquidity. All individuals holding USR during the attack experienced immediate value erosion.
Inadequate Access Controls Pinpointed as Primary Vulnerability
Blockchain analyst Andrew Hong traced the breach to a privileged account designated SERVICE_ROLE. This account operated under the control of a single externally owned account rather than a multisignature wallet. The minting contract lacked oracle verification, amount validation mechanisms, and maximum mint restrictions.
Security firm Pashov, which conducted an audit of Resolv’s staking module in July 2025, informed Cointelegraph that the underlying cause appeared to involve private key compromise rather than inherent protocol design weaknesses.
Cyvers CEO Deddy Lavid stated: “Audits alone are not enough. If you’re not monitoring minting and supply in real time, you’re blind when it matters most.”
Resolv’s official website documents 14 audit engagements conducted by five security firms, a $500,000 bug bounty program hosted on Immunefi, and ongoing smart contract surveillance.
DeFi Platforms Act to Manage Risk Exposure
Several DeFi protocols responded promptly following the exploitation. Lido confirmed that user funds within Lido Earn remained secure. Aave founder Stani Kulechov clarified that the platform maintained no direct USR exposure and that Resolv was in the process of repaying obligations. Morpho co-founder Merlin Egalite indicated that exposure existed only within specific vaults.
Secondary Effects on Lending Platforms
USR and its staked variant wstUSR served as accepted collateral across platforms including Morpho and Gauntlet. Analysts highlighted that market participants may have purchased USR at depressed prices and borrowed USDC against it using the $1 valuation, depleting available liquidity from affected vaults.
Resolv’s junior insurance tranche, RLP, confronts potential financial impacts. Stream Finance, maintaining a 13.6 million RLP position valued at roughly $17 million, could subject its depositors to additional losses. Stream previously reported a $93 million loss in November 2025.
The RESOLV governance token declined approximately 8.5% during the 24 hours after the breach.
The Resolv breach reflects broader industry patterns. An Immunefi report released last week revealed that the average cryptocurrency security breach now costs approximately $25 million, with the five largest exploits during 2024–2025 representing 62% of total stolen funds.
