- The attacker used $100,000 to $200,000 to mint $80 million in unbacked USR and extracted $23 million to $25 million in ETH.
- The basis trigger was a compromised non-public key with no on-chain mint restrictions or oracle checks.
- USR misplaced its peg inside minutes, falling beneath $0.40 and hitting lows round $0.02.
Resolv Labs confirmed that its USR stablecoin minting system was exploited on March 22, 2026. The attackers gained entry to the non-public keys and minted 80 million unbacked USR tokens.
The preliminary collateral utilized by the attackers was solely $100,000 to $200,000. This enter was purported to mint a small quantity of USR, however the system was in a position to create tens of tens of millions of USR.
The attackers transformed USR to a staking model (wstUSR), then to different stablecoins, together with Circle’s USDC, and eventually to Ether. In keeping with on-chain knowledge, the full quantity of ETH extracted is roughly $23 million to $25 million.
Root trigger: Non-public key compromise, not code failure
This exploit was not because of a bug within the sensible contract, and the system functioned as coded. The failure originated from off-chain infrastructure.
The attackers compromised Resolv’s AWS key administration system and took management of privileged signing keys. This key had the authority to approve minted quantities.
The contract solely checked for legitimate signatures; there have been no checks for max mint limits, worth oracles, or collateral ratios.
Two main transactions illustrate the dimensions, minting USR 50 million and USR 30 million respectively, and creating USR 80 million with minimal backing. As soon as the attacker compromised the important thing, limitless token creation was potential.
An infection spreads throughout DeFi protocols
The harm did not keep inside Resolve. Protocols built-in with USR have been additionally affected. Morpho Labs reported publicity via its choose lending vaults. The exploit affected roughly 15 vaults, every holding greater than $10,000.
Curators like Gauntlet, Re7 Labs, kpk, and 9summits had swimming pools related to USR. Some automated programs continued to offer liquidity after the exploit, exacerbating losses.
Morpho mentioned its core contracts stay safe and dangers are restricted to curators.
USR stablecoin loses peg as worth crashes beneath $0.40
The sudden provide shock destroyed the system immediately and USR misplaced its greenback peg inside minutes.
In keeping with the information, the token has fallen beneath $0.40, with lows close to $0.02 on some feeds. Chainalysis estimates that 80% will collapse on the peak of the panic earlier than solely partially recovering.
The protocol instantly suspended the mint redemption characteristic to stop additional harm. On the identical time, the attackers tried further minting, forcing the staff to reply rapidly.
USR holders have been left in danger as liquidity swimming pools have been flooded with unbacked tokens.
Disclaimer: The knowledge contained on this article is for informational and academic functions solely. This text doesn’t represent monetary recommendation or recommendation of any form. Coin Version isn’t chargeable for any losses incurred because of using the content material, merchandise, or providers talked about. We encourage our readers to do their due diligence earlier than taking any motion associated to our firm.