On March 22, 2026, an attacker exploited a critical flaw in Resolv Labs’ stablecoin minting contract to print 80 million unbacked USR tokens using roughly $100,000 in collateral, then cashed out approximately $25 million in ETH before the protocol paused. USR, designed to hold a $1 peg, crashed to below 3 cents within hours of the attack.
As of March 24, USR was trading near $0.27. Resolv Labs has paused the protocol and is coordinating with law enforcement and onchain analytics firms to trace the stolen funds.
How the Attacker Got In
The attacker’s entry point was Resolv’s AWS Key Management Service environment, where the protocol’s privileged signing key was stored. According to a postmortem published by Chainalysis on March 23, gaining control of that KMS environment gave the attacker the ability to authorize minting operations directly, without interacting with any frontend or oracle system.
The exploit did not require a flash loan. It did not depend on a reentrancy bug. It was a direct abuse of a privileged key: the attacker called the minting contract with legitimate credentials they should not have held.
The Math of the Attack
The attacker deposited 100,000 USDC into Resolv’s swap contract and received 50 million USR in return. That is 500 times the correct exchange rate. A second transaction brought the total unbacked USR minted to approximately 80 million tokens.
Nothing in the contract flagged this as abnormal. There were no checks on the output to input ratio, no oracle verifying that the deposit was sufficient collateral, and no maximum mint limit that would cap how many tokens could be issued in a single transaction.
Three Security Failures That Made It Possible
Chainalysis identified three structural design failures in their postmortem published on March 23:
Single key, no multisig. The SERVICE_ROLE account, which holds authority to complete swap requests in the minting contract, was controlled by a single externally owned account. Standard practice for privileged minting roles in DeFi requires a multisig arrangement requiring two or more separate signers to approve each transaction. Resolv did not implement this.
No oracle or ratio validation. The contract lacked any logic to verify whether the amount of USR being issued matched the value of collateral being deposited. A basic sanity check comparing deposit value to output amount would have rejected this transaction immediately at the contract level.
No maximum mint cap. There was no limit on how many tokens could be minted in a single transaction or within a time window. Circuit breakers of this kind are considered a basic DeFi security primitive. Protocols carrying this much liquidity are expected to implement them.
The Cash Out Route
After minting the unbacked USR, the attacker converted it into wstUSR, the staked version of the token. This is slightly less liquid than USR and adds a conversion step between the mint and a visible cash out. The attacker then gradually swapped the wstUSR into other stablecoins before converting into ETH, extracting approximately $25 million across multiple transactions.
The multistep conversion path appears designed to slow detection and complicate onchain tracing. Resolv confirmed it has engaged onchain analytics firms alongside law enforcement, though no recovery has been announced as of this writing.
Where USR Stands Now
USR crashed to roughly 2 cents at the lowest point of the attack on March 22. By March 23, Resolv Labs announced it would restore redemptions to users who held USR at pre-incident balances, offering what amounts to a compensation program intended to be funded from the protocol’s insurance module.
Whether the protocol can fully backstop $25 million in losses from its insurance reserves remains unclear. Resolv has not published the current size of its insurance fund or disclosed how much of the stolen ETH has been recovered.
The Broader DeFi Security Picture in 2026
The Resolv exploit is not an isolated incident. DeFi protocols have lost $137 million across 15 separate incidents since January 2026, according to data compiled by blockchain researcher CipherResearchx. That figure already surpasses the $106.8 million lost to DeFi exploits across all of Q1 2025.
The four largest incidents of 2026 so far:
- Step Finance: $27.3 million
- Truebit: $26.2 million
- Resolv: approximately $25 million
- SwapNet: $13.4 million
Every one of these exploits followed a common pattern: a privileged key or administrative function with insufficient access controls, no runtime validation of critical parameters, and no circuit breaker to limit damage once an attack began. These are not novel attack vectors. They appear in every major DeFi security audit template.
The question the industry has not answered convincingly is why protocols handling hundreds of millions of dollars continue to ship without addressing them.
The Daily Brief by TCB
Crypto, AI & finance intelligence in 5 minutes. Every weekday morning. Free.
