TL;DR:
- Resolv suffered an exploit that allowed minting 80 million USR tokens with out backing, draining round $23 million in Ethereum from the protocol.
- The attacker compromised non-public keys from the important thing administration system in AWS and bypassed oracle controls and most minting limits.
- The USR token misplaced greater than 80% of its worth and a minimum of 15 vaults on Morpho with publicity to the asset recorded appreciable losses.
On Sunday, March 23, 2026, Resolv suffered probably the most vital exploits of the 12 months within the DeFi ecosystem. An attacker exploited a flaw within the minting system of the protocol’s native stablecoin, USR, to generate 80 million tokens with out actual collateral backing. The operation allowed them to drain roughly $23 million in Ethereum earlier than the crew might droop mint and redemption capabilities.
The assault vector didn’t reside within the delta-neutral logic that underpins USR’s design, however within the compromise of personal keys from the important thing administration service hosted on Amazon Net Companies. In accordance with Chainalysis, the attacker used between $100,000 and $200,000 in collateral to generate the tokens, implying a fraudulent issuance ratio of as much as 500 occasions the professional quantity. The minting contract lacked oracle verification and most issuance limits, which facilitated the operation.
Resolv: A Cascading Influence No person Might Include
The USR token, designed to keep up parity with the greenback, crashed to $0.02 inside minutes of the primary anomalous mint. Though it partially recovered floor, it continued buying and selling nicely under its peg for hours. The RESOLV governance token fell 8.5% in 24 hours.
The harm unfold quickly to interconnected protocols. Morpho, which operates underneath a curators mannequin that manages vaults with their very own parameters, obtained one of many hardest blows. At the least 15 vaults with greater than $10,000 in liquidity recorded direct losses from publicity to USR or associated property. Curators Gauntlet, Re7 Labs, kpk, and 9summits operated swimming pools with that publicity. In some circumstances, automated liquidity provision programs remained energetic for hours after the exploit, compounding the harm. Merlin Egalite, co-founder of Morpho, clarified that the bottom protocol’s contracts introduced no vulnerabilities.
Lido confirmed that funds in Lido Earn weren’t affected. Stani Kulechov, founding father of Aave, famous that the protocol had no direct publicity to USR. Deddy Lavid, CEO of Cyvers, delivered a pointed comment concerning the incident: “In case you’re not monitoring minting and provide in actual time, you’re blind when it issues most.”
The Resolv exploit illustrates that fourteen audits and a $500,000 bug bounty program on Immunefi show inadequate if the operational administration of personal keys and controls over privileged roles are usually not held to the identical customary.
