Resolv Labs Hit by Exploit That Flooded Market With Unbacked USR, Deepening DeFi Fallout

23-Mar-2026 Crypto Economy

TL;DR:

  • Resolv suffered an exploit that allowed minting 80 million USR tokens without backing, draining around $23 million in Ethereum from the protocol.
  • The attacker compromised private keys from the key management system in AWS and bypassed oracle controls and maximum minting limits.
  • The USR token lost more than 80% of its value and at least 15 vaults on Morpho with exposure to the asset recorded considerable losses.

On Sunday, March 23, 2026, Resolv suffered one of the most significant exploits of the year in the DeFi ecosystem. An attacker exploited a flaw in the minting system of the protocol’s native stablecoin, USR, to generate 80 million tokens without real collateral backing. The operation allowed them to drain approximately $23 million in Ethereum before the team could suspend mint and redemption functions.

The attack vector did not reside in the delta-neutral logic that underpins USR’s design, but in the compromise of private keys from the key management service hosted on Amazon Web Services. According to Chainalysis, the attacker used between $100,000 and $200,000 in collateral to generate the tokens, implying a fraudulent issuance ratio of up to 500 times the legitimate amount. The minting contract lacked oracle verification and maximum issuance limits, which facilitated the operation.

Resolv exploit

Resolv: A Cascading Impact Nobody Could Contain

The USR token, designed to maintain parity with the dollar, crashed to $0.02 within minutes of the first anomalous mint. Although it partially recovered ground, it continued trading well below its peg for hours. The RESOLV governance token fell 8.5% in 24 hours.

The damage spread rapidly to interconnected protocols. Morpho, which operates under a curators model that manages vaults with their own parameters, received one of the hardest blows. At least 15 vaults with more than $10,000 in liquidity recorded direct losses from exposure to USR or related assets. Curators Gauntlet, Re7 Labs, kpk, and 9summits operated pools with that exposure. In some cases, automated liquidity provision systems remained active for hours after the exploit, compounding the damage. Merlin Egalite, co-founder of Morpho, clarified that the base protocol’s contracts presented no vulnerabilities.

Resolv post

Lido confirmed that funds in Lido Earn were not affected. Stani Kulechov, founder of Aave, noted that the protocol had no direct exposure to USR. Deddy Lavid, CEO of Cyvers, delivered a pointed remark about the incident: “If you’re not monitoring minting and supply in real time, you’re blind when it matters most.”

The Resolv exploit illustrates that fourteen audits and a $500,000 bug bounty program on Immunefi prove insufficient if the operational management of private keys and controls over privileged roles are not held to the same standard.

Also read: Apple (AAPL) Stock Climbs as Morgan Stanley Survey Reveals Record-Breaking iPhone Upgrade Activity
Next
Author's Name
telegram Telegram Twitter Twitter Linkedin Linkedin Instagram Instagram
About Author Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc fermentum lectus eget interdum varius. Curabitur ut nibh vel velit cursus molestie. Cras sed sagittis erat. Nullam id ante hendrerit, lobortis justo ac, fermentum neque. Mauris egestas maximus tortor. Nunc non neque a quam sollicitudin facilisis. Maecenas posuere turpis arcu, vel tempor ipsum tincidunt ut.
Read More Articles by Author
WHAT'S YOUR OPINION?
Related News