The Big Analysis

TBW - Resolv: How a compromised key sent USR crashing 80%

The Big Whale

2 min read

On Sunday, March 22, the stablecoin USR — issued by the Resolv protocol — lost its dollar peg after an attacker exploited a compromised private key to mint roughly 80 million tokens against a trivial collateral deposit.

The incident resulted in an estimated $25 million extraction and triggered cascading effects across several DeFi platforms, forcing Resolv to halt operations.

The scope of the attack

The mechanism was not, strictly speaking, a hack in the conventional sense: no collateral reserves were seized. The attacker gained access to a privileged signing key stored within the protocol's AWS Key Management Service environment.

Armed with that credential, they submitted two minting transactions: first 50 million USR against approximately 100,000 USDC, then another 30 million USR. The freshly minted, unbacked tokens were subsequently dumped into decentralized exchange liquidity pools — most notably Curve's USR/USDC pair — to extract real value.

The attacker's path ran from minted USR through wstUSR (a staked USR derivative), then into stablecoins, and finally into ETH: a total of 11,400 coins worth approximately $24.4 million and 20 million wstUSR.

USR briefly collapsed to around $0.20 before stabilizing near $0.26, an 80% deviation from its intended peg.

What makes the episode particularly instructive is not the key compromise itself — which falls within a well-documented category of operational security failures — but the absence of elementary safeguards in the smart contract architecture.

The minting function imposed no ceiling per transaction or per time window. It performed no validation of the ratio between deposited collateral and minted tokens. It referenced no price oracle. In short, once the attacker held the privileged key, the protocol offered no second line of defense.

>> Discover our stablecoin dashboard

The damage done

The contagion rippled outward with characteristic DeFi speed.

Curve's pool was drained, sending the CRV token down nearly 5%. On Morpho, where USR served as an underlying asset in several lending vaults, the damage was more structural: Gauntlet's USDC Frontier vault saw $85.66 million in deposit outflows, its Core vault another $17 million, and more than ten vaults on the platform were affected in total.

Exposure also surfaced on Euler and across Midas products, including mBASIS, mAPOLLO, and mEDGE. Morpho's token dipped roughly 5% before recovering. The Resolv team has stated that underlying collateral reserves were not compromised.

>> MEV Capital: Anatomy of a collapse and takeover by Belem Capital

The Big Whale's take

The velocity of contagion remains the core differentiator between decentralized and traditional financial plumbing: in conventional markets, comparable risk transmission typically unfolds over days, affording intermediaries time to hedge, communicate, and intervene.

Here, the chain reaction played out within hours.

More fundamentally, this incident illustrates why institutional capital deployment into decentralized protocols continues to proceed cautiously.

The vulnerability was not exotic. Single-key control over critical functions, the absence of minting caps, and the lack of oracle-based validation are all known failure modes, extensively documented in the audit literature.

That they persist in a protocol handling meaningful capital points to a gap not in technology per se, but in the security governance standards the industry has yet to formalize.

Until those standards exist and are independently enforced, episodes like this one will continue to set back the timeline for full-scale institutional adoption of DeFi rails — regardless of how diligent individual vault curators or asset allocators may be.

Read more