Resolv Burns 9M USR Tokens After ₱1.5 billion ($25 million) Exploit
After hackers exploited a leaked private key from Resolv's off-chain minting service, the protocol detected the breach when attackers began dumping unbacked tokens through Curve Finance and DEX pools. Resolv Labs paused all functions and burned 9 million USR from attacker holdings.
Key Takeaway
Leaked keys trump smart contract security when minting functions lack hard volume caps.
Hackers exploited a leaked private key from Resolv's off-chain minting authorization service to mint 50 million unbacked USR tokens, overwhelming the protocol's shock absorber mechanism designed to protect the stablecoin's peg.
Resolv's smart contracts validated signature authenticity but lacked upper limits on minting volume, allowing attackers to create unlimited tokens with a valid signature. D2 Finance called the attack a textbook DeFi hacker cash-out path, with the attacker achieving a 250x return on initial capital.
Hackers dumped the unbacked tokens through batch sales into Curve Finance's USR/USDC pool and multiple DEX liquidity pools, also using cross-chain bridges to move funds. The Morpho MEV Capital Resolv USR Vault suffered primary collateral damage from the liquidity shock.
Resolv's dual-tranche design uses the junior tranche RLP token as a shock absorber to protect USR holders during market stress. The 50 million freshly minted tokens overwhelmed this protection layer before the team could respond.
Resolv Labs paused all protocol functions immediately upon exploit detection and processed ₱29.99 million ($0.5 million) in redemptions before burning 9 million USR from attacker holdings on March 24, 2026.
This article was written based on reporting from CryptoPotato.
