Resolv Labs USR Stablecoin Depegs After $25M Exploit

Resolv Labs, the DeFi project behind the USR stablecoin, suffered a major exploit on Sunday that allowed an attacker to mint 80 million unbacked tokens and drain roughly $25 million from the protocol — all while kicking off one of the more dramatic stablecoin depegs seen in recent months.

How Did the Attacker Mint 80 Million USR for $100K?

The mechanics here deserve more scrutiny than the headline number suggests. According to on-chain data flagged by crypto analyst account "yieldsandmore," the attacker deposited just $100,000 worth of USDC to trigger the initial mint of 50 million USR — a ratio that makes no economic sense unless something fundamental broke inside the protocol's minting logic.

Crypto security firm PeckShield later confirmed the attacker didn't stop there. A second minting transaction added another 30 million USR to the haul, bringing the total to 80 million unbacked tokens flooding into markets that were not built to absorb that kind of sudden supply.

Crypto fund D2 Finance offered the clearest diagnosis of what went wrong. The firm said USR's minting function was "broken" — pointing to three possible failure modes: the oracle was manipulated, the off-chain signer was compromised, or the contract was simply missing amount validation between the mint request and its completion. Any one of those alone would be a critical flaw. The fact that any of them could be the culprit says something uncomfortable about where USR's security posture stood going into Sunday.

The minting function on USR's contract was somehow broken. Either the oracle was gamed, the off-chain signer was compromised, or the amount validation between request and completion is simply missing.

The Cashout: Textbook DeFi Hack in Real Time

Once the minting was done, the attacker moved fast. D2 Finance tracked the exit in near-real time: the 50 million USR were dispersed across multiple DeFi protocols, swapped aggressively into USDC and USDT, and then converted into Ether (ETH). The firm called it "textbook DeFi hack cashout running at full speed" — and the on-chain footprint backed that up, with multiple failed transactions visible as the attacker worked through slippage issues caused by their own selling pressure.

USR's price told the story better than any analysis. On the Curve Finance USR/USDC pool — the token's deepest liquidity venue, with a 24-hour volume of $3.6 million — the token crashed to just 2.5 cents at 2:38 AM UTC on Sunday. That bottom came just 17 minutes after the initial 50 million USR mint. By the time most of the crypto world woke up to the news, the worst of the damage was already done. The pool has since recovered to around 84.5 cents, but that's cold comfort for anyone who was providing liquidity during those 17 minutes.

D2 Finance estimated total extraction at around $25 million. The attacker essentially turned a $100,000 USDC deposit into a $25 million payday — a 250x return on a single Sunday morning. Call it a brilliant exploit or a catastrophic protocol failure; either way, Resolv Labs is now trying to explain to its users how this was possible.

Where Does USR Stand Now?

As of Sunday, USR was trading at approximately 87 cents according to CoinGecko — 13% below its intended $1 peg. Resolv Labs confirmed via its X account that it had paused all protocol functions to stop further damage, and said the team was "actively working on recovery." What that recovery looks like is anyone's guess at this point.

The broader context is worth noting. February had seen crypto hacks fall dramatically — only $49 million lost across the whole month, compared to $385 million in January. March appears to be reversing that trend. The Resolv exploit alone wipes out more than half of February's total in a single transaction sequence.

The stablecoin space has always carried a specific kind of risk: when confidence in the peg breaks, the exit velocity can be brutal. USR's crash to 2.5 cents was extreme even by DeFi standards — a token explicitly designed to hold $1 hitting fractions of a penny represents near-total market disbelief in a matter of minutes. Whether the peg fully recovers or this becomes a slow bleed will depend entirely on what Resolv Labs finds when it digs into those minting contracts.