A critical vulnerability in Resolv's USR stablecoin minting contract allowed an attacker to drain $25 million from the protocol on Sunday, sending the dollar-pegged token to $0.025 before a partial recovery.

What Happened

The exploit occurred at 2:21 a.m. UTC on March 22. The attacker deposited 100,000 USDC into Resolv's minting contract and received back approximately 50 million USR — roughly 500 times the expected amount. Nothing in the system validated whether the exchange ratio made sense.

Across two transactions, the attacker minted around 80 million unbacked USR tokens, then swapped them for USDC and USDT on decentralized exchanges and converted the proceeds to ETH. The attacker's wallet now holds approximately 11,409 ETH ($23.7 million) plus $1.1 million in wrapped USR.

USR crashed from $1.00 to $0.025 on its main Curve Finance pool within 17 minutes of the first mint. As of Monday morning, the token was trading at around $0.27, still down 72% on the week.

The Root Cause

Resolv Labs initially described the incident as a "compromised private key." Onchain analysts found the problem was structural. The minting contract's SERVICE_ROLE — a privileged account that processes swap requests — was controlled by a single externally owned account rather than a multisig. There were no oracle checks, no amount validation, and no maximum mint limits.

The protocol now holds an estimated $95 million in assets against $173 million in liabilities, leaving it functionally insolvent. Resolv's total value locked had already declined from a February 2025 peak of $684 million to around $95 million before the attack.

Protocol Response

Resolv Labs paused the protocol and said it was cooperating with law enforcement and onchain analytics firms to pursue asset recovery. The team warned users against trading USR while recovery measures were being implemented, noting that post-exploit trading activity could complicate the recovery process.