Resolv Labs Hack: How a Compromised Key Drained $25 Million and Crashed the USR Stablecoin
Resolv Labs lost $25M after an attacker exploited a stolen key to mint 80 million unbacked stablecoins. USR crashed 97% in 17 minutes. Here's what we know so far.
Quick Insights
- The attacker compromised an off-chain private key, not a smart contract. That key controlled how much USR could be minted, and the contract had no max limit, no oracle, and no collateral check.
- USR crashed 97.5% within 17 minutes. Resolv now holds $95M in assets against $173M in liabilities. It is functionally insolvent.
- The stolen 11,409 ETH (roughly $23.7M) is still sitting in one wallet. It has not been moved to mixers or bridges, which gives forensics teams a shrinking window to act.
$200K In, $25M Out, All in Under Two Hours
Early on Sunday, March 22, an attacker broke into Resolv Labs' off-chain minting infrastructure. Within minutes, they turned a deposit of roughly $100,000 to $200,000 in USDC into approximately 80 million unbacked USR stablecoins. Those tokens were quickly swapped into ETH, netting the attacker around $25 million before the team could respond.
USR is supposed to hold a $1 peg. It uses a delta-neutral hedging strategy backed by ETH and BTC. That peg collapsed almost instantly. Within 17 minutes of the first fake mint, USR hit $0.025 on Curve Finance. It has since bounced between $0.14 and $0.42, but remains far from $1.
Timeline: First Mint to Protocol Shutdown
No Smart Contract Bug. A Stolen Key With No Limits.
Chainalysis published a detailed post-mortem. The core issue: Resolv's minting process relied on an off-chain service that used a privileged private key (called the "SERVICE_ROLE") to approve how much USR to create. The smart contract checked that the key's signature was valid. But it did not check how much USR was being minted. No maximum. No oracle. No collateral ratio.
The attacker got hold of that key, reportedly by compromising Resolv's AWS KMS setup. Once they had it, the contract did exactly what it was told. A $100,000 deposit requesting 50 million USR sailed through because the contract simply had no rule to stop it.
Pashov, the security firm that audited Resolv's staking module in July 2025, confirmed the root cause was a key compromise, not a protocol design flaw. But they were blunt: operational security across DeFi is still not good enough.
11,409 ETH in One Wallet. No Movement Yet.
On-chain data shows the attacker holds 11,409 ETH, worth about $23.7 million, in a single wallet. A separate wallet holds roughly $1.1 million in wrapped USR. None of it has been moved to mixers or bridges so far.
That is a meaningful detail. It means law enforcement and on-chain forensics teams still have a chance to freeze or trace the funds. But that window is closing.
Resolv confirmed it is working with law enforcement and Chainalysis on recovery.
Who Got Hit: Aave, Lido, Morpho, and Others Respond
Several major DeFi platforms had accepted USR or related tokens as collateral. All of them moved fast to assess their exposure and reassure users.
| Protocol | Exposure | Status |
|---|---|---|
| Aave | No direct USR exposure. Resolv is actively repaying outstanding debt. | Safe |
| Lido | Lido Earn user funds confirmed secure and unaffected. | Safe |
| Morpho | About 15 of 500+ vaults had meaningful USR exposure. Lower-risk prime vaults were unaffected. | Partial |
| Fluid | Will cover all pre-hack USR positions. Multiple investors have offered to buy treasury tokens if more capital is needed. | Partial |
| Gauntlet | Still in talks with Resolv. Working on a compensation plan. | Ongoing |
Resolv Burns $9M in USR, Starts Redemptions
Resolv says the underlying collateral pool is "fully intact" and that no backing assets were lost. The problem was isolated to the token minting mechanism.
So far, the team has burned $9 million in USR to reduce the supply of exploited tokens. All protocol operations are paused. Redemptions for pre-hack holders have started. Law enforcement and blockchain forensics firms are involved.
Resolv told users not to trade USR while recovery is underway. They warned that trading activity during this period "may affect the recovery."
USR is currently around $0.27 to $0.42. The protocol holds $95 million in assets against $173 million in liabilities. Restoring the peg will depend on how much of the stolen ETH can be recovered and whether Resolv can restructure what it owes.
Q1 2026 DeFi Losses Now Total $137M
Resolv is not an isolated case. Blockchain researcher CipherResearchx has tallied $137 million in DeFi losses across 15 exploits in Q1 2026 alone. That already exceeds the full Q1 of 2025.
The biggest hits this year: Step Finance ($27.3M), Truebit ($26.2M), Resolv ($25M+), and SwapNet ($13.4M).
The timing is notable. Just days ago, the SEC and CFTC classified 16 crypto assets as digital commodities, a move the industry had been waiting years for. But exploits like this hand regulators a clear argument for stricter DeFi oversight. The SEC also faces a March 27 deadline on 91 spot crypto ETF applications, now just four days away.
What Comes Next
Four questions will define the coming days. Can law enforcement freeze the 11,409 ETH before it gets laundered? Can Resolv restore the USR peg, or will it need to wind down? How fast can Morpho, Fluid, and Gauntlet make their affected users whole? And does this push regulators to act on DeFi operational security sooner than expected?
This is a developing story. We will update as new information comes in.
