Attacker Mints 80 Million Unbacked USR, Extracts About $25 Million in ETH from Resolv

On Sunday, March 22, 2026, an attacker successfully exploited a critical vulnerability in Resolv's USR stablecoin minting contract.

“Resolv stablecoin crashes 70% as attacker extracts $25 million in ETH The protocol holds $95 million in assets against $173 million in liabilities, leaving it functionally insolvent”

@coindesk

The attack began around 2:21 a.m. UTC when the attacker deposited only about $100,000-$200,000 in USDC into Resolv's USR Counter contract.

@coindesk

The attacker received 50 million USR back—roughly 500 times more than expected, with a second transaction minting another 30 million tokens.

The attacker then systematically swapped the minted USR for USDC and USDT across decentralized exchanges before converting everything into ETH.

Their current wallet holds 11,409 ETH worth about $23.7 million plus $1.1 million in wrapped USR in a separate address.

This massive exploit represents one of the most significant stablecoin security failures of 2026, causing immediate depegging and widespread financial disruption.

The attacker extracted roughly $25 million in total value from the exploit.

The technical mechanics of the attack reveal fundamental design flaws in Resolv's USR stablecoin architecture.

USR uses a delta-neutral hedging strategy backed by ETH and BTC rather than traditional fiat reserves.

blockchain.news

The vulnerability stemmed from structural design failures including a single-key controlled privileged account with no mint limits.

No oracle checks or amount verification existed between minting requests and execution.

This allowed the attacker to receive 50 million USR for a mere 100,000 USDC deposit.

Onchain data shows USR crashed to just $0.025 on its most liquid Curve Finance pool within 17 minutes.

The token later recovered to around $0.85 but has not fully restored its $1 peg.

The attack specifically targeted the coupling point between minting logic and off-chain signatures/oracles.

Experts identify this as the most vulnerable attack surface of delta-neutral stablecoin systems.

The market impact of the USR depeg was immediate and severe across multiple DeFi protocols.

“On Sunday, an attacker exploited a flaw in the minting contract of Resolv’s USR stablecoin, creating around 80 million unbacked tokens and walking away with roughly $25 million in Ether”

CoinCentral

USR dropped to as low as $0.025 on Curve Finance within minutes of the attack.

Sources report varying recovery levels—$0.85, $0.27, and $0.42 according to different outlets.

The depeg cascaded through DeFi lending markets where USR and wstUSR were used as collateral.

Platforms including Morpho, Gauntlet, Euler, and Fluid experienced forced liquidations of leveraged positions.

The incident exposed Resolv's underlying financial weakness—$95 million assets vs $173 million liabilities.

This left the protocol functionally insolvent despite claims of intact collateral pools.

Resolv had already been shedding value, with USR's market cap falling from $400 million in early February to roughly $100 million before the attack.

Security experts have issued stark warnings about fundamental vulnerabilities exposed by this exploit.

Deddy Lavid, CEO of Cyvers, emphasized that "Audits alone are not enough, if you're not monitoring minting and supply in real time, you're blind when it matters most."

Cointelegraph

Ido Sofer, CEO of Sodot, identified a growing trend focusing on "blind spot of security teams - sensitive keys and credentials that do not hold the funds directly."

Andrew Hong from D2 Finance described it as a "critical failure of access controls" highlighting privileged minting risks.

The exploit follows similar incidents at Truebit ($26.6 million) and Makina Finance ($5 million) in early 2026.

Immunefi reports the average crypto hack now costs about $25 million.

The top five exploits in 2024-2025 accounted for 62% of all stolen funds in crypto.

The incident underscores systemic risks in DeFi security architectures.

Resolv Labs stated its collateral pool "remains fully intact" with "no underlying assets" lost.

“Resolv Labs recently experienced a major exploit in its USR stablecoin system, leading to the minting of 80 million unbacked tokens”

crypto.news

Analysts note this understates damage from supply inflation rather than direct theft.

crypto.news

The Abu Dhabi-based protocol has paused all protocol functions.

Resolv is working with law enforcement and analytics firms to recover assets.

DeFi protocols quickly responded: Lido, Morpho, and Aave confirmed systems unaffected.

Euler, Venus, and Fluid paused markets or isolated vaults to contain risks.

The incident occurs amid increased U.S. regulatory scrutiny of stablecoins.

Traders monitor attacker's 11,000+ ETH holdings, which could impact Ethereum prices.

Potential support levels around $2,000 to $2,100 if holdings are dumped.