In the cryptocurrency market, stablecoins are regarded as a "bridge" connecting traditional finance with the Web3 world, making their stability and security crucial. However, a recent attack on Resolv’s USR stablecoin has once again sounded an alarm for DeFi security. On March 22, 2025, attackers exploited a vulnerability in Resolv’s USR minting contract to mint approximately 80 million unsponsored tokens and stole around $25 million in ETH. This incident caused USR to plummet to $0.025 on Curve, before rebounding to around $0.85—though its peg to the U.S. dollar has not yet been restored. The attack not only severed USR’s gold backing but also exposed the potential vulnerabilities of complex DeFi protocols and the significant risks posed by high-yield stablecoins in the absence of regulatory oversight.
I. Resolv's USR stablecoin depegs: Attacker mints 80 million unsponsored tokens, stealing $25 million in ETH
According to multiple blockchain security firms, on Sunday, an attacker exploited a vulnerability in Resolv’s USR stablecoin minting contract to create approximately 80 million unsponsored tokens and stole around $25 million.
Attack Method: The attack began at approximately 02:21 UTC. The X account YieldsAndMore was the first to detect the incident and posted Etherscan transaction data showing that the attacker deposited 100,000 USDC into Resolv’s USR Counter contract and received 50 million USR in return—about 500 times the expected amount. Subsequently, the attacker minted an additional 30 million USR through a second transaction.
USR depegs and crashes: USR is a dollar-pegged stablecoin that employs a delta-neutral hedging strategy and is backed by ETH and BTC, rather than fiat reserves. According to DEX Screener data, the token plummeted to $0.025 within 17 minutes of its initial minting in its most liquid Curve Finance pool. The price later rebounded to around $0.85, but as of Sunday morning, its peg to the dollar had not been restored.
Stolen assets: The attacker used an address starting with 0x04A2 to exchange the minted USR for USDC and USDT on a decentralized exchange, then converted the proceeds into ETH. According to blockchain data, as of publication, the attacker’s wallet holds 11,409 ETH, valued at approximately $23.7 million. Another wallet confirmed to belong to the attacker holds wstUSR tokens valued at approximately $1.1 million.
Resolv Labs' response: In its statement regarding X, Resolv Labs stated that it has suspended all protocol functions, and its collateral pool is "completely intact" with "no loss of underlying assets." The team said the issue is "limited to the USR issuance mechanism."
II. Vulnerability Cause Analysis: Privileged Minting Role and Weak Access Control
Analysts found that the vulnerability stemmed from a privileged minting role controlled by an external owned account, which had no minting limits or oracle checks.
Weak access control: Chain analyst Andrew Hong attributed this security vulnerability to the protocol's SERVICE_ROLE, a privileged account used to fulfill swap requests. This role was controlled by a standard externally owned account (EOA), rather than a multisignature wallet. Additionally, the minting contract lacked oracle checks, quantity validation, and maximum minting limits.
Insufficient auditing and monitoring: D2 Finance, a DeFi fund, listed three possible explanations: oracle manipulation, compromise of off-chain signers, or missing validation of amounts between minting requests and completion. YieldsAndMore agreed with this analysis, noting that Resolv Protocol’s governance mechanisms lacked security measures commensurate with its scale. “Relying solely on audits is not enough—if you don’t monitor minting and supply in real time, you’re blind at the most critical moments,” said Deddy Lavid, CEO of Cyvers, to The Block.
III. USR Holders Face Massive Losses: Supply Inflation and Liquidity Crunch
Although Resolv's claim that its collateral pool is "completely intact" is technically accurate, it understates the losses.
Supply inflation: As on-chain analysts have noted, this attack took the form of supply inflation rather than direct theft of collateral assets. The addition of 80 million new tokens diluted the existing supply, and the attacker’s sell-off completely destroyed the liquidity of the collateral pool. Anyone holding USR at the time immediately suffered losses.
Spillover to DeFi lending markets: The depegging effect also impacted DeFi lending markets. USR and its staked derivative wstUSR were accepted as collateral by platforms such as Morpho and Gauntlet. Some speculative traders may have purchased USR at a discount and borrowed USDC at a fixed $1 valuation, thereby depleting stablecoin liquidity in these vaults. D2 Finance noted that vaults on Morpho managed by Gauntlet were also affected.
Subordinate Shares and Ripple Effects: Losses could also impact Resolv’s subordinate shares. The Resolv Liquidity Pool (RLP), which acts as a layer of insurance to absorb losses and protect USR holders, had approximately $38.6 million in circulating funds at the price prior to the exploit. According to YieldsAndMore, Stream holds 13.6 million RLP shares with a net exposure of approximately $17 million, meaning its depositors may face another significant loss.
Market cap significantly shrunk: According to CoinMarketCap, USR’s market cap has dropped from approximately $400 million in early February to around $100 million before the attack. Affected by this incident, the price of the RESOLV governance token fell by approximately 8.5% over the past 24 hours.
IV. Background of Resolv and the Prevalence of DeFi Hacking Attacks
Resolv completed a $10 million seed round in April 2025, led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, Arrington Capital, and Animoca Ventures, and incubated by Delphi Labs.
Audit and Bug Bounty: Resolv’s website claims to have completed 14 audit projects for five companies, established a $500,000 Immunefi bug bounty program, and offers ongoing smart contract monitoring services.
DeFi hacking trends: This exploit incident further increases the number of DeFi hacks in 2026. The Resolv incident is the latest in a series of cryptocurrency attacks early in 2026. In January, Truebit lost $26.6 million after attackers exploited a smart contract vulnerability deployed five years prior. In the same month, Makina Finance’s stablecoin pool lost approximately $5 million due to attackers manipulating the protocol’s oracle using flash loans. A report released last week by Immunefi shows that the average loss per cryptocurrency hack is currently around $25 million, with the top five attack events between 2024 and 2025 accounting for 62% of all stolen funds.
Five: Timing of Policy and Regulation: Risks of Yield-Bearing Stablecoins
From a policy perspective, the timing is also noteworthy, as U.S. lawmakers are actively debating how to regulate yield-bearing stablecoins under the GENIUS Act.
Risk of bank deposit outflows: The American Bankers Association has warned that such products could divert deposits away from traditional banks.
Regulatory consensus: Several key senators reached a "principle agreement" last Friday on how to handle stablecoin yields.
Conclusion:
The USR stablecoin from Resolv deviated from its gold peg after an attacker minted 80 million unsponsored tokens and stole approximately $25 million, once again sounding the alarm on DeFi security. This incident not only exposes potential vulnerabilities in high-yield stablecoins related to complex contract design, access control, and auditing, but also poses a severe challenge to the trust mechanisms of the entire DeFi ecosystem.