Article by Eric, Foresight News
Around 10:21 Beijing Time today, Resolv Labs, which issues the stablecoin USR using a delta-neutral strategy, was hacked. An address starting with 0x04A2 minted 50 million USR from the Resolv Labs protocol using 100,000 USDC.
As the incident became public, USR dropped to around $0.25, recovering to approximately $0.80 by the time of writing. The RESOLV token price also briefly fell by nearly 10%.
Subsequently, the hacker replicated the same method to mint 30 million USR using 100,000 USDC. As USR significantly deviated from its peg, arbitrageurs swiftly acted; many lending markets on Morpho that accepted USR, wstUSR, and other assets as collateral were nearly emptied, and Lista DAO on BNB Chain suspended new borrowing requests.
The impact extends beyond just these lending protocols. In Resolv Labs’ protocol design, users can also mint RLP tokens, which exhibit greater price volatility and higher yields but require holders to assume liability for losses incurred by the protocol. Currently, the circulating supply of RLP tokens is nearly 30 million, with the largest holder, Stream Finance, owning over 13 million RLP tokens, resulting in a net risk exposure of approximately $17 million.
Yes, Stream Finance, which previously suffered a collapse involving xUSD, may face another major blow.
As of the time of writing, the hacker has converted USR into USDC and USDT and has continued purchasing Ethereum, acquiring over 10,000 ETH so far. Using 200,000 USDC, the hacker has extracted over $20 million in assets, finding their own "100x coin" during the bear market.
Again exploited due to "lack of rigor"
On October 11 last year, the sharp market decline caused many stablecoins issued using delta-neutral strategies to suffer collateral losses due to ADL (Automatic De-leveraging). Projects that used altcoins as assets for their strategies suffered even heavier losses, with some outright abandoning their projects.
Resolv Labs, which was targeted in this attack, also issued USR using a similar mechanism. The project announced in April 2025 that it had completed a $10 million seed round led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, and launched its RESOLV token in late May to early June.
However, Resolv Labs was attacked not due to extreme market conditions, but because the mechanism design for minting USR was insufficiently rigorous.
No security firm or official source has yet analyzed the cause of this hacking incident. The DeFi community YAM, through preliminary analysis, concluded that the attack likely occurred because the hacker gained control of the SERVICE_ROLE used by the protocol’s backend to provide parameters to the minting contract.
According to Grok's analysis, when users mint USR, they initiate a request on-chain and call the contract's requestMint function with the following parameters:
_depositTokenAddress: The address of the token being deposited;
_amount: Deposit amount;
_minMintAmount: Minimum expected amount of USR to receive (slippage protection).
Subsequently, the user deposits USDC or USDT into the contract; the project’s backend with the SERVICE_ROLE monitors the request, uses the Pyth oracle to verify the value of the deposited assets, and then calls the completeMint or completeSwap function to determine the actual number of USR tokens to mint.
The issue lies in the fact that the minting contract fully trusts the _mintAmount provided by SERVICE_ROLE, assuming it has been verified off-chain by Pyth, and therefore imposes no upper limit or on-chain oracle verification, directly executing mint(_mintAmount).
Accordingly, YAM suspects that the hacker gained control of the SERVICE_ROLE, which should have been controlled by the project team (possibly due to an internal oracle compromise, insider theft, or stolen keys), and directly set _mintAmount to 50 million during minting, enabling the attack that created 50 million USR using only 100,000 USDC.
Ultimately, Grok concluded that Resolv did not consider the possibility that the address (or contract) used to receive user minting requests could be compromised by hackers. When minting requests for USR were submitted to the final minting contract, no maximum minting limit was set, and the contract did not perform secondary verification using an on-chain oracle—it blindly trusted all parameters provided by SERVICE_ROLE.
Prevention is also inadequate
In addition to speculating on the cause of the hack, YAM also pointed out the project team's inadequate preparedness in responding to the crisis.
YAM stated on X that Resolv Labs paused the protocol three hours after the first hacker attack, with approximately one hour of delay caused by collecting the four signatures required for the multisig transaction. YAM believes that an emergency pause should require only one signature, and permissions should be distributed as widely as possible among team members or trusted external operators to increase vigilance for on-chain anomalies, improve the likelihood of rapid suspension, and better cover different time zones.
Although the suggestion to pause the protocol with a single signature may seem extreme, requiring multiple signatures across different time zones to pause the protocol could indeed cause critical delays during emergencies. The lesson from this incident is to introduce a trusted third party that continuously monitors on-chain activity, or to implement monitoring tools with emergency protocol pause capabilities.
Attacks on DeFi protocols have long moved beyond smart contract vulnerabilities. The Resolv Labs incident serves as a warning to project teams: assumptions about protocol security must assume that no component can be trusted—all parameters must undergo at least secondary verification, even for backends operated by the project team itself.