Resolv Hack: ₱1.38 billion ($23 million) Drained Despite 18 Prior Audits
Risk ratings firm Credora had flagged USR with a junk rating before the exploit, identifying a single privileged access key with unchecked minting authority as the core vulnerability that auditors repeatedly missed.
Key Takeaway
Eighteen audits missed the privileged key flaw that let hackers mint ₱4.8 billion ($80 million) in fake stablecoins.
A hacker drained ₱1.38 billion ($23 million) in Ether from Resolv over the weekend after gaining access to the protocol's private keys and minting ₱4.8 billion ($80 million) in unbacked USR stablecoins.
The exploit came five days after Steakhouse Financial published an economic and operational overview as Resolv's risk manager. Resolv offered to let the attacker keep 10% of the stolen funds if they returned the rest by Thursday, but the deadline passed without compliance.
Credora identified the root cause as a single privileged access key with unchecked minting authority, made worse by the absence of onchain safeguards. DeFi audits don't always check for this vulnerability, the firm noted.
Gate Ventures Managing Partner Kevin Yang called the incident a structural failure in how DeFi prices risk, saying the ecosystem cannot scale total value locked to the trillions with substandard security.
USR now trades at 20 cents after losing its $1 peg. Waymont CEO Jai Bhavnani said the hack felt like the final nail in the coffin for DeFi, with liquidity providers realizing most protocols offer too much risk for too little reward.
Resolv turned off USR mint and redeem functions immediately after the attack on March 23, 2026.
This article was written based on reporting from Dlnews.
