In March 2026, Resolv was the victim of a $23 million hack. The attacker took advantage of a compromised private key to authorize the minting of 80 million of the USR stablecoin in exchange for about $100,000-$200,000 in collateral.
Inside the Attack
The Resolv attack exploited the fact that Resolv's smart contract relied on an off-chain service to validate minting requests. Users deposit into the USR Counter contract and request a mint. The amount of tokens to be minted in response to a deposit is determined by an off-chain service that the protocol's smart contract implicitly trusts, which calls the contract with the approved amount. The contract itself didn't perform any validation of the price ratio between the deposited token and the minted USR.
This external service used a single private key for digital signatures, which was compromised by the attacker. The hack began with the attacker compromising Resolv's AWS Key Management Service (KMS) environment, which held the critical private key. With this key, the attacker could authorize as large a mint as they wanted in response to a deposit.
The attacker deposited about $100,000-$200,000 USDC into the contract and requested two mints. They then called the completeSwap function in the contract with a transaction digitally signed by the compromised private key. The transactions minted approximately 50 million and 30 million USR, respectively, creating a total of 80 million in unbacked USR tokens.
These minted tokens were swapped into wstUSR, then into ETH via a series of exchanges. During the response, the Resolv protocol burned about 9 million USR that remained in the attacker's account.
The attack caused USR to unpeg, dropping to $0.0025 at the bottom on Curve before rebounding to approximately $0.85. The depeg also harmed other protocols, resulting in Fluid/Instadapp absorbing over $10 million in bad debt and seeing $300 million in outflows in a single day. It also impacted 15 Morpho vaults.
Lessons Learned from the Attack
The Resolv incident involved a stolen key belonging to off-chain infrastructure that was wholly trusted to determine the amount of tokens to mint in response to a request. This infrastructure was outside of the scope of eighteen past audits, allowing these structural issues to slip through the cracks.
This hack could have been prevented by a few different security controls. The use of multisig wallets instead of a single private key would have made the attack more difficult to carry out, forcing the attacker to compromise multiple environments. The minting contract should also have sanity-checked mint requests to make sure that they made sense with current token prices.
Implementing secure stablecoins is a complex challenge since tokens must be trusted to maintain their pegs, even in the face of sophisticated attacks. Halborn's smart contract auditing and security advisory services can help ensure that DeFi projects implement security best practices and avoid risks like the ones that made the Resolv hack possible. Get in touch to find out more.