Resolv Protocol, the decentralized finance platform that issues the USD stablecoin USR, underwent a major exploit over the weekend. Resolv informed its community about the exploit on Sunday, claiming that the attackers managed to get hands on a compromised private key that allowed them to mint 80 million unbacked USR stablecoins.
The USR token, launched in September 2024, is a decentralized, yield-bearing stablecoin backed by Bitcoin and Ether. The attacker first swapped the minted USR tokens for USDC and USDT to ETH tokens via decentralized exchanges. As per Chainalysis, the attacker holds ETH 11,400 in their wallet amounting to $24.8 million.
As a result of the exploit, the USR stablecoin suffered de-pegging, crashing to a price point to $0.025 on the Curve Finance pool. Despite it being backed by BTC and ETH, the stablecoin usually maintains its price at $1 through its Delta-Neutral financial structure. The incident, however, destabilized its price position significantly.
As a caution, Resolv paused the relevant smart contracts, it posted othrough its official @ResolvLabs handle on X.
“The protocol currently holds approximately $141 million in assets, with the only realized impact identified to date being approximately $0.5 million in redemptions processed prior to the pause. Approximately nine million USR held by the attacker has since been burned in order to reduce the potential impact,” it noted.
After the hack, the protocol said, it held $141 million in assets. It has alerted its community that 71 million illicitly minted tokens are circulating in the market. Whereas, 102 million tokens in circulation are official.
“We strongly advise against trading USR or related Resolv tokens at this time while recovery measures are being implemented. Actions of users during post-exploit period may affect the recovery,” Resolv noted. “We are preparing to enable redemptions for all pre-incident USR, beginning with allowlisted users. The current target start date is 23 March 2026.”
On-chain intelligence firm Chainalysis published an in-depth explanation of the attack.
“The on-chain smart contract worked perfectly. The broader system design and off-chain infrastructure of the compromised key apparently did not,” Chainalysis said. “DeFi protocols inherit the security assumptions, and the vulnerabilities, of the off-chain infrastructure they depend on,” it said.
Source: Chainalysis
Resolv said it is taking steps to track the illicitly minted USR tokens. It said it is also working with law enforcement and on-chain analytics firms to identify the attackers.