Resolv: How a compromised key sent USR token crashing 80%

Resolv: How a compromised key sent USR token crashing 80%
Ask AI TO SUMMARIZE ThIS ARTICLE

A compromised key let an attacker mint 80M unbacked USR tokens, crashing the stablecoin 80%. The $25M exploit exposed critical DeFi security gaps and sent shockwaves through Curve, Morpho, and more.

Your 2 free articles this month are up

The research your peers are already leveraging

The Big Whale gives financial institutions the market intelligence, network, and platform to move with confidence in digital assets. Trusted by 150+ firms.

On Sunday, March 22, the stablecoin USR — issued by the Resolv protocol — lost its dollar peg after an attacker exploited a compromised private key to mint roughly 80 million tokens against a trivial collateral deposit.

The incident resulted in an estimated $25 million extraction and triggered cascading effects across several DeFi platforms, forcing Resolv to halt operations.

The scope of the attack

The mechanism was not, strictly speaking, a hack in the conventional sense: no collateral reserves were seized. The attacker gained access to a privileged signing key stored within the protocol's AWS Key Management Service environment.

Armed with that credential, they submitted two minting transactions: first 50 million USR against approximately 100,000 USDC, then another 30 million USR. The freshly minted, unbacked tokens were subsequently dumped into decentralized exchange liquidity pools — most notably Curve's USR/USDC pair — to extract real value.

The attacker's path ran from minted USR through wstUSR (a staked USR derivative), then into stablecoins, and finally into ETH: a total of 11,400 coins worth approximately $24.4 million and 20 million wstUSR.

USR briefly collapsed to around $0.20 before stabilizing near $0.26, an 80% deviation from its intended peg.

What makes the episode particularly instructive is not the key compromise itself — which falls within a well-documented category of operational security failures — but the absence of elementary safeguards in the smart contract architecture.

The minting function imposed no ceiling per transaction or per time window. It performed no validation of the ratio between deposited collateral and minted tokens. It referenced no price oracle. In short, once the attacker held the privileged key, the protocol offered no second line of defense.

>> Discover our stablecoin dashboard

The damage done

The contagion rippled outward with characteristic DeFi speed.

Curve's pool was drained, sending the CRV token down nearly 5%. On Morpho, where USR served as an underlying asset in several lending vaults, the damage was more structural: Gauntlet's USDC Frontier vault saw $85.66 million in deposit outflows, its Core vault another $17 million, and more than ten vaults on the platform were affected in total.

Exposure also surfaced on Euler and across Midas products, including mBASIS, mAPOLLO, and mEDGE. Morpho's token dipped roughly 5% before recovering. The Resolv team has stated that underlying collateral reserves were not compromised.

>> MEV Capital: Anatomy of a collapse and takeover by Belem Capital

The Big Whale's take

The velocity of contagion remains the core differentiator between decentralized and traditional financial plumbing: in conventional markets, comparable risk transmission typically unfolds over days, affording intermediaries time to hedge, communicate, and intervene.

Here, the chain reaction played out within hours.

More fundamentally, this incident illustrates why institutional capital deployment into decentralized protocols continues to proceed cautiously.

The vulnerability was not exotic. Single-key control over critical functions, the absence of minting caps, and the lack of oracle-based validation are all known failure modes, extensively documented in the audit literature.

That they persist in a protocol handling meaningful capital points to a gap not in technology per se, but in the security governance standards the industry has yet to formalize.

Until those standards exist and are independently enforced, episodes like this one will continue to set back the timeline for full-scale institutional adoption of DeFi rails — regardless of how diligent individual vault curators or asset allocators may be.

Format
Analysis
Aleksandar Bukovski

Aleksandar Bukovski is Lead Analyst at The Big Whale, where he specializes in decentralized finance and crypto-assets. His published work at The Big Whale covers topics including stablecoins, tokenized finance, DeFi protocols, Bitcoin mining, and institutional adoption of digital assets. He also hosts the Market Call, a recurring market analysis format produced by The Big Whale.

Prior to joining The Big Whale in February 2025, Bukovski spent five months as a Research Analyst at The Block, a crypto-focused information services firm, where his stated focus was tokenization. He holds an Engineer's degree in Finance and Financial Management Services and a Master's degree in Investment Management, both from the Faculty of Technical Sciences at the University of Novi Sad, Serbia.

See all articles ↗
Subscribe to The Drop
The leading weekly briefing on digital assets for financial institutions: independent analysis, reports, benchmarks and exclusive events, delivered to your inbox.
Read by 30,000 professionals
November 12–13, 2026

The Geneva Summit

The Corporate Gateway: where the future of onchain finance is decided. 300 handpicked decision-makers. One shared mandate.
300
Decision-makers
2 days
Intensive program