Stablecoins should be worth one dollar. Resolv’s USR is worth 27 cents, and the math to fix it doesn’t work.
According to multiple blockchain security companies and on-chain data, around 2:21 a.m. on Sunday, an attacker exploited a flaw in Resolv’s USR stablecoin minting contract to create approximately 80 million unbacked tokens in two transactions and withdraw approximately $25 million.
The attacker then exchanged the minted USR for USDC and USDT on a decentralized exchange, converting the proceeds to ETH. The attacker now holds 11,409 ETH in another wallet, worth approximately $23.7 million, along with an additional $1.1 million worth of wrapped USR.
USR, a USD-pegged stablecoin with a delta-neutral hedging strategy backed by ETH and BTC, saw its most liquid Curve Finance pool plummet to $0.025 within 17 minutes of first minting, according to DEX Screener.
It later recovered to around $0.85 but has yet to regain the peg. As of Monday morning, it was trading at $0.27, down 72% for the week.
This notice is issued on behalf of Resolv Digital Assets Ltd. in connection with the Resolv Agreement.
Earlier today, a malicious actor gained unauthorized access to Resolv infrastructure via compromised private keys, resulting in the minting of approximately $80 million in…
— Resolv Labs (@ResolvLabs) March 22, 2026
The root cause is worse than Resolv’s initial statement suggests. The team described the incident as a “private key compromise” and a “targeted infrastructure breach.”
But on-chain analysts found that the real problem was structural. SERVICE_ROLE is a privileged account that completes exchange requests within the minting contract and is controlled by a single externally owned account rather than a multi-sig. The contract lacks oracle checking, amount verification, and maximum minting limit.
The attacker deposited 100,000 USDC and received 50 million USR in return, which was roughly 500 times the expected amount because there was nothing in the system to check that the ratio was reasonable.
DeFiLlama data shows that Resolv’s TVL peaked at nearly $684 million in February 2025, then dropped to around $95 million for the full year before the breach.
Resolv said it is working with law enforcement and on-chain analytics companies and will “pursue all available avenues to recover the assets.”
The team strongly advises against trading USR while recovery measures are in place, adding that “user behavior during the post-exploitation period may impact recovery.”
Correction time: 6:39 UTC: A previous version incorrectly mentioned $80 million as a loss in the headline and body of the story
