Decentralized finance protocol Resolv Labs suffered a major security breach, leading to the collapse of its USR stablecoin. An attacker exploited compromised private keys to mint approximately $80 million in unbacked USR tokens. The tokens were swapped for Ether, netting the attacker around $23 million and causing the stablecoin’s value to plummet. The exploit also damaged vaults on the lending platform Morpho, where several curators had exposure to the depegged asset.
The decentralized finance protocol Resolv Labs disclosed that the minting process for its USR stablecoin was exploited on Sunday. An attacker minted 80 million unbacked USR tokens after gaining unauthorized access to the project’s private keys, the team stated Monday.
The attacker swapped the fraudulent tokens for staked versions and then for Circle’s stablecoin before purchasing Ether. Onchain data indicates they made off with roughly $23 million in Ether, leaving USR tokenholders with a heavily devalued asset.
CoinGecko shows the stablecoin is now trading below $0.40, having fallen as low as $0.02. Resolv Labs has disabled the protocol’s mint and redeem functions to prevent further damage.
The exploiter minted the 80 million tokens using only between $100,000 and $200,000 in collateral after compromising keys on Amazon Web Services, according to Chainalysis. The mint contract lacked oracle or max mint checks to prevent this action, according to Herd co-founder Andrew Whong.
The fallout extended beyond Resolv Labs to integrated protocols. Lending protocol Morpho Labs, which uses a curator model for its vaults, saw several curators impacted due to USR exposure.
Curators including Gauntlet, Re7 Labs, kpk, and 9summits had created vaults with exposure to USR. “I want to reiterate that there is no vulnerability in Morpho contracts. They are safe and operating as intended,” said Morpho co-founder Merlin Egalite.
In some cases, automated services continued providing liquidity to USR vaults after the exploit, worsening damages. Morpho co-founder Paul Frambot said roughly 15 vaults with over $10,000 in liquidity were impacted by the event.
