DeFi platform Resolv Labs suffered a major exploit on Sunday, causing its USR stablecoin to lose its dollar peg and crash over 70%. An attacker used a compromised private key to mint $80 million in uncollateralized USR tokens. According to blockchain analysis firm Chainalysis, the hacker then converted the tokens through various protocols, ultimately extracting about $25 million. The platform has paused functions, burned some tokens, and is working with law enforcement while planning redemptions for affected users.
The USR stablecoin from Resolv Labs depegged and plunged more than 70% after an attacker exploited its contract to create 80 million unbacked tokens. According to the platform, the breach leveraged a “compromised private key” for the unauthorized minting.
The attacker quickly swapped the illicit USR into a staked version and then into other stablecoins and Ethereum. Chainalysis reported the hacker ultimately cashed out roughly $25 million in value.
“This notice is issued on behalf of Resolv Digital Assets Ltd. in relation to the Resolv protocol,” the company stated. “Earlier today, a malicious actor gained unauthorized access to Resolv infrastructure through compromised private key, resulting in the minting of approximately $80M of…”
Resolv Labs has burned about $9 million in USR to reduce the impact. The firm is also collaborating with authorities and analytics teams to track the hackers and contain the remaining illicit tokens.
All protocol functions were paused in response to the attack. The platform stated it is preparing to allow redemptions for “pre-incident USR,” beginning with allowlisted users.
Analysis suggests the vulnerability potentially involved manipulated oracles or leaked off-chain signer keys. Chainalysis noted that minting approvals relied on an off-chain service with a private key, and the smart contract lacked a maximum minting limit.
D2 Finance described the cash-out as a “textbook DeFi hacking cash-out path.” The attackers moved tokens in batches through multiple liquidity protocols while executing large sell-offs.
This incident follows other recent DeFi security breaches, including a $29 million hack at Step Finance and a $1.8 million oracle error at lender Moonwell. These events highlight ongoing security challenges within the decentralized finance sector.
