Resolv stablecoin falls 70% following $80 million hack as attacker creates USR.

Issues with Resolv’s USR Stablecoin

A stablecoin ideally holds a value of $1, but Resolv’s USR is currently trading at around 27 cents, and attempts to rectify this situation seem inadequate.

On Sunday, at roughly 2:21 a.m. UTC, attackers took advantage of a vulnerability in Resolv’s USR stablecoin minting contract. They managed to create around 80 million tokens without backing and extracted nearly $25 million, as reported by various blockchain security firms and on-chain data.

Subsequently, these attackers traded the minted USR on decentralized exchanges for USDC and USDT, then converted those into ETH. Now, they hold approximately 11,409 ETH, valued at around $23.7 million, along with about $1.1 million in wrapped USR in different wallets.

Initially pegged to the dollar, USR plunged to as low as $0.025 in one of the most active Curve Finance pools just 17 minutes after the minting began, according to DEX Screener.

Although the price has somewhat rebounded to about $0.85, the peg to the dollar remains unstable. By Monday morning, USR was trading at $0.27, marking a 72% drop over the week.

In a recent notice, Resolv Digital Assets acknowledged the situation, revealing that a malicious actor accessed their infrastructure by compromising private keys, leading to the unauthorized minting of those tokens.

However, further investigations highlighted issues deeper than initially reported. Resolv characterized the breach as a “private key compromise” and “targeted infrastructure compromise.” On-chain analysts pointed out that the real flaw lies in the structure itself. The SERVICE_ROLE account, responsible for swap requests, was managed by a single externally owned account, rather than a more secure multisig setup. Additionally, the contract failed to include oracle checks, monetary verification, and limits on minting.

Interestingly, the attacker was able to deposit 100,000 USDC but received a staggering 50 million USR. This discrepancy was due to a lack of system checks to validate whether this exchange rate was logical.

Ido Sofer, founder of a cryptographic key management firm, commented that setups like this are not uncommon in smart contracts. “There’s often a key with control over contract specifics, which is often overlooked. This single point of failure makes it a tempting target,” he noted.

Sofer also pointed to a growing trend in security breaches focusing on overlooked areas, such as keys and credentials that grant access rather than holding funds directly. These vulnerabilities include developer credentials and transaction API keys.

According to data from DeFiLlama, Resolv’s total value locked (TVL) reached nearly $684 million in February 2025 but saw a decline throughout the year, eventually dropping to around $95 million before this incident.

Resolv stated they are collaborating with law enforcement and blockchain analytics firms, committing to “exploring all avenues to recover lost assets.” They strongly recommend against trading USR while recovery efforts are underway, cautioning that user activities during this post-incident period could hinder recovery.