Resolv Stablecoin Drops 70% After $25M ETH Heist

The Resolv USR stablecoin exploit that hit early Sunday morning is the kind of attack that keeps DeFi security researchers up at night — not because it was sophisticated, but because it wasn't. Around 2:21 a.m. UTC on March 23, an attacker discovered that Resolv's minting contract had no guardrails whatsoever: no oracle checks, no amount validation, no maximum mint caps. They deposited 100,000 USDC, walked out with 50 million USR, and the math that was supposed to keep USR pegged to one dollar just... didn't run.

How Did the Attacker Pull This Off?

A single key with no multisig, no limits, and no checks

The Resolv exploit didn't require a flash loan, a reentrancy bug, or a custom MEV bot. It required one thing: a privileged system account called the SERVICE_ROLE — the role that completes swap requests in the minting contract — was controlled by a single externally owned account rather than a multisig. No second signer. No time delay. No threshold.

That single account minted approximately 80 million unbacked USR tokens across two transactions. The contract did not check whether the input-to-output ratio made sense. So when the attacker deposited 100,000 USDC, they received 50 million USR back — roughly 500 times what should have been possible. That's not a flash crash. That's a vault with no lock.

The attacker then swapped the minted USR for USDC and USDT across decentralized exchanges, converting the proceeds to ETH before parking the funds in a separate wallet. As of Monday, that wallet held 11,409 ETH worth approximately $23.7 million, plus $1.1 million in wrapped USR.

Resolv's initial statement attributed the incident to a "compromised private key" and a "targeted infrastructure compromise." Onchain analysts pushed back immediately. The problem wasn't just that a key was stolen — the problem was that the system was designed around a single key having unlimited, unchecked authority in the first place.

For most smart contracts, this setup is not unusual. There is a key that has authority over contract specifics — in this case, for minting — that is often overlooked. This single point of failure is an attractive target for internal and external threats.

USR's Peg Collapsed in Under 20 Minutes

The Resolv USR stablecoin is supposed to maintain a $1.00 peg using a delta-neutral hedging strategy backed by ETH and BTC. On Sunday morning, none of that mattered. DEX Screener data shows USR hit $0.025 on its most liquid Curve Finance pool within 17 minutes of the first malicious mint. That's a 97.5% depeg in less than the time it takes to make a cup of coffee.

The token partially clawed back ground, recovering to around $0.85 before settling. But it didn't hold. By Monday morning, USR was trading at $0.27 — down 72% on the week. Resolv issued an advisory telling users to avoid trading USR while recovery measures were being implemented, warning that "actions of users during the post-exploit period may affect the recovery." That's a delicate way of saying: if you panic-sell now, you're making the math harder for everyone still holding.

The scale of the damage is easier to understand when you look at what Resolv was before this week. DeFiLlama data shows the protocol's TVL peaked near $684 million in February 2025 before declining steadily through the year to around $95 million just before the exploit. The attack didn't just hurt holders — it wiped out whatever recovery momentum the protocol had been building.

The Broader Warning: Credential Attacks Are the New Exploit

Ido Sofer, founder at crypto key management firm Sodot, put the structural problem plainly when speaking about the incident. The attack wasn't about finding a bug in the contract's logic — it was about finding the one key that had too much power and no protection around it.

"This ties in to a growing trend of attacks that are focusing on the blind spot of security teams — sensitive keys and credentials that do not hold the funds directly, but can be used to access the funds," Sofer said. "That includes dev credentials, trading API keys, and other deployment keys."

That framing matters. The industry's mental model of DeFi security still centers on code audits — catch the reentrancy bug, verify the math in the AMM, check the oracle manipulation vector. But an increasing share of high-value exploits now run straight through operational security failures: a hot wallet with too many permissions, a deployment key stored in the wrong place, a SERVICE_ROLE account that nobody thought to protect with a multisig because "it's not holding funds directly."

Resolv said it is working with law enforcement and onchain analytics firms, and that it would "pursue all available avenues to recover assets." Recovery in cases like this is historically difficult — the attacker already converted everything to ETH, which is far more liquid and harder to trace than a protocol-native token. The team has not indicated whether it plans to reimburse affected users or restructure the minting architecture.

This ties in to a growing trend of attacks that are focusing on the blind spot of security teams — sensitive keys and credentials that do not hold the funds directly, but can be used to access the funds. That includes dev credentials, trading API keys, and other deployment keys.