Author: The Defiant
Compiled by DeepChain TechFlow
Shenchao Overview: This article is not merely reviewing the Resolv vulnerability—it’s highlighting something more troubling: the same attack pattern—hardcoded oracles pricing a depegged stablecoin at $1—has occurred at least four times in the past 14 months. The issue is not a technical flaw, but rather an inherent design flaw in the curator model: risks are borne by depositors, while rewards are captured by curators.
The full text is as follows:
On a quiet Sunday morning, someone turned $100,000 into $25 million in approximately 17 minutes.
The target is the yield-bearing stablecoin protocol Resolv. Prior to Resolv suspending its contract, its dollar-pegged stablecoin, USR, had fallen to just a few cents. As of the time of writing, USR remains severely de-pegged, trading at approximately $0.25, a decline of over 70% this week.
The ripple effects extended far beyond Resolv itself. Fluid/Instadapp absorbed over $10 million in bad debt in a single day and experienced net outflows exceeding $300 million—the largest single-day outflow in its history. Fifteen Morpho vaults were affected. Euler, Venus, Lista DAO, and Inverse Finance all subsequently paused USR-related markets.
The mechanism that led to the spread of losses from this vulnerability—pricing the depegged stablecoin at $1 in the lending market—is not new. This has occurred at least four times in the past 14 months.
How do vulnerabilities work?
The minting of USR follows a two-step off-chain process: users deposit USDC via the `requestSwap` function, and a privileged off-chain signing key, `SERVICE_ROLE`, finalizes the amount of USR issued via `completeSwap`. The contract enforces a minimum output limit but has no maximum limit—whatever is signed by the key holder is executed by the contract.
The attacker gained access to the key through Resolv’s AWS Key Management Service. They submitted two USDC deposits totaling approximately $100,000 to $200,000, then used the compromised key to authorize the minting of 80 million USR in return. On-chain data shows two transactions of 50 million USR and 30 million USR, both minted within minutes.
"The Resolv USR vulnerability is not a bug—it's a feature working as designed. That's the problem," said on-chain analyst Vadim (@zacodil).
SERVICE_ROLE is a regular externally owned address, not a multisig. The admin key is protected by multisig, but the minting key is not.
"Resolv has undergone 18 audits," Vadim said, "one of which found a vulnerability named simply 'Missing Upper Bound'."
The attacker methodically exited: first converting the minted USR into wstUSR (the staked wrapped version) to mitigate market impact, then exchanging it for ETH via Curve, Uniswap, and KyberSwap. The attacker’s wallet holds approximately 11,400 ETH (around $24 million). The ETH and BTC collateral pools underpinning the entire system remained intact amid the stablecoin’s collapse.
How does it spread?
The Resolv vulnerability was actually the result of two events occurring together: first, a minting vulnerability, and second, a failure in the cross-margin lending market.
When USR and wstUSR collapsed, each lending market that accepted them as collateral faced the same issue: their oracles still priced wstUSR close to $1.
Omer Goldberg, founder of the risk analysis firm Chaos Labs, documented this mechanism. His key finding was: "The oracle is hard-coded and therefore never repriced. wstUSR is marked at $1.13, while trading at approximately $0.63 on the secondary market."
Traders buy wstUSR at a low price on the open market, then use it as collateral to borrow USDC on Morpho or Fluid based on the oracle price of $1.13, before exiting.
At Fluid, the team secured a short-term loan to cover 100% of bad debts and pledged full reimbursement to every user. At Morpho, co-founder Paul Frambot stated that approximately 15 vaults had significant exposure, all employing high-risk, long-tail collateral strategies.
Renowned curator Gauntlet stated, "Exposure to several high-yield vaults is limited."
However, D2 Finance directly refuted this claim, releasing on-chain data showing that Gauntlet’s flagship "USDC Core Vault" allocated $4.95 million to the wstETH/USDC market. Goldberg subsequently stated that Gauntlet’s vault accounts for 98% of lender liquidity in that market.
Frambot stated in a written response to The Defiant: "We have been exploring ways to more comprehensively present various risks. However, we do not believe the core issue here is a lack of labeling."
Frambot added: "Morpho is oracle-agnostic, meaning it allows curators to choose any oracle they believe is best suited for a particular market. Morpho is an open, permissionless infrastructure designed to outsource risk management to curators."
"It's difficult to enforce objectively 'correct' safeguards in all scenarios," said Frambot. "Imposing constraints at the protocol level also carries the risk of hindering legitimate strategies."
Although the underlying protocol leaves risk management to the curator, some in the industry believe the curator has not fulfilled its responsibilities.
"I believe the design of the curator industry is flawed because there is no real curation happening at all," Marc Zeller said on X.
As of publication, Resolv, Gauntlet, and Fluid have not responded to The Defiant’s request for comment.
A recurring failure pattern
This is not a new attack. In January 2025, Usual Protocol’s USD0++ was hardcoded to $1 by curator MEV Capital in the Morpho vault. Usual then suddenly adjusted the redemption floor price to $0.87 without any warning, locking lenders in the MEV Capital vault, which saw its utilization rate spike to 100%.
In November 2025, Stream Finance’s xUSD collapsed after the curator routed USDC deposits into leveraged loops backed by the synthetic stablecoin; when its oracle refused to update, an estimated $285 million to $700 million in assets on Morpho, Euler, and Silo were at risk. Moonwell suffered two consecutive oracle failures in October and November 2025, resulting in over $5 million in bad debt.
What does this mean for the curator model?
Morpho’s architecture outsources all risk decisions to third-party "curators," who build vaults, select collateral, set loan-to-value ratios, and choose oracles. The underlying theory is that specialized institutions possess deeper expertise, and competition leads to better risk management, while the protocol is responsible for enforcing the rules.
However, curators earn fees based on the generated yield, creating an incentive to accept higher-risk, higher-yield collateral such as yield-bearing stablecoins. The problem is that when these stablecoins depeg, losses are borne by depositors, not the curators. During the Resolv incident, some curators’ automated bots continued injecting funds into the affected vaults for hours after the vulnerability occurred, exacerbating the losses.
The reason for using a hardcoded oracle for yield-bearing stablecoins is to prevent short-term fluctuations from triggering unnecessary liquidations. However, this protection is only effective if the stablecoin remains stable.
Chainalysis, a on-chain analytics firm, stated in its post-incident review that real-time on-chain detection capabilities are needed.
"The on-chain smart contract is operating perfectly. The issue clearly lies in the broader system design and off-chain infrastructure," the analysis firm stated.