In the cryptocurrency market, stablecoins are regarded as the "bridge" connecting traditional finance with Web3, making their stability and security paramount. However, a recent attack targeting Resolv’s USR stablecoin has once again sounded the alarm for DeFi security. On March 22, 2025, an attacker exploited a vulnerability in Resolv’s USR minting contract to mint approximately 80 million uncollateralized tokens and siphon off around $25 million in ETH. This incident caused USR to plummet to $0.025 on Curve Finance, followed by a partial recovery to roughly $0.85, though its peg to the US dollar remains unrecovered. The breach not only caused USR to break its gold-peg but also exposed the inherent vulnerabilities within complex DeFi protocols and highlighted the substantial risks posed by high-yield stablecoins in the absence of regulatory oversight.

1. Resolv’s USR Stablecoin Breaks Peg: Attacker Mints 80 Million Uncollateralized Tokens, Steals $25M in ETH

Multiple blockchain security firms reported that on Sunday, an attacker exploited a flaw in Resolv’s USR stablecoin minting contract to create approximately 80 million uncollateralized tokens and steal about $25 million.

Misuse Method: The attack began around 2:21 UTC. The X account YieldsAndMore was the first to detect the incident and posted Etherscan transaction data showing the attacker deposited 100,000 USDC into Resolv’s USR Counter contract and received 50 million USR in return—approximately 500 times the expected amount. Subsequently, the attacker executed a second transaction to mint an additional 30 million USR.

USR Peg Collapse: USR is a USD-pegged stablecoin employing a delta-neutral hedging strategy, backed by ETH and BTC rather than fiat reserves. According to DEX Screener data, the token dropped to $0.025 within 17 minutes of the initial minting in its most liquid Curve Finance liquidity pool. Prices later rebounded to around $0.85, but as of Sunday morning, the peg to the US dollar had not been restored.

Stolen Assets: The attacker used an address starting with 0x04A2 to swap the minted USR for USDC and USDT on decentralized exchanges, then converted those into ETH. Blockchain data shows that as of publication, the attacker’s wallet holds 11,409 ETH worth of approximately $23.7 million. Another confirmed attacker-associated wallet holds wstUSR tokens valued at around $1.1 million.

Resolv Labs’ Response: In a statement on X, Resolv Labs declared all protocol functions suspended, asserting that its collateral pools were “completely intact” and “no underlying assets” were lost. The team emphasized the issue was “limited solely to the USR issuance mechanism.”

2. Vulnerability Analysis: Privileged Minting Role and Weak Access Control

Analysts identified the flaw as stemming from a privileged minting role controlled by an external account (EOA) without minting limits or oracle verification.

Weak Access Control: Chain analyst Andrew Hong attributed the security breach to the protocol’s SERVICE_ROLE, a privileged account used to fulfill redemption requests. This role was managed by a standard external account (EOA), not a multi-sig wallet. Additionally, the minting contract lacked oracle checks, quantity validation, and a maximum minting cap.

Lack of Auditing and Monitoring: DeFi fund D2 Finance outlined three possible explanations: oracle tampering, compromise of off-chain signers, or missing amount validation between mint request and completion. YieldsAndMore concurred with this assessment, noting that Resolv’s governance mechanisms lacked security safeguards commensurate with its scale. “Audits alone are insufficient—if you’re not monitoring minting and supply in real time, you’re blind at the most critical moment,” said Deddy Lavid, CEO of Cyvers, to The Block.

3. USR Holders Face Massive Losses: Supply Inflation and Liquidity Drain

While Resolv’s claim that its collateral pools were “completely intact” is technically accurate, it underestimates the actual damage.

Supply Inflation: As chain analysts pointed out, this attack took the form of supply inflation rather than direct theft of collateral. The addition of 80 million new tokens diluted the existing supply, and the attacker’s dumping completely destroyed the liquidity of the collateral pool. Anyone holding USR at the time suffered immediate losses.

Impact on DeFi Lending Markets: The de-peg effect also spread to DeFi lending markets. USR and its staked derivative wstUSR were accepted as collateral on platforms such as Morpho and Gauntlet. Some speculative traders may have purchased USR at a discount and borrowed USDC at a fixed valuation of $1, thereby draining stablecoin liquidity from these vaults. D2 Finance noted that vaults managed by Gauntlet on Morpho were also affected.

Secondary Positions and Cascading Effects: The losses may extend to Resolv’s secondary positions. Resolv Liquidity Pool (RLP), designed as a buffer layer to absorb losses and protect USR holders, had circulating funds of approximately $38.6 million before the exploit. According to YieldsAndMore, Stream held 13.6 million RLP positions on Morpho with a net exposure of about $17 million, suggesting depositors could face another major loss.

Market Cap Plunge: According to CoinMarketCap, USR’s market cap has fallen from around $400 million in early February to approximately $100 million prior to the attack. In response, the RESOLV governance token price declined by about 8.5% over the past 24 hours.

4. Resolv’s Background and the Pervasiveness of DeFi Exploits

Resolv completed a $10 million seed round in April 2025, led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, Arrington Capital, and Animoca Ventures, and incubated by Delphi Labs.

Audits and Bug Bounty: Resolv’s website claims it has undergone 14 audits across five firms and established a $500,000 Immunefi bug bounty program, alongside continuous smart contract monitoring services.

Trend in DeFi Exploits: This exploit further elevated the number of DeFi attacks in 2026. The Resolv incident is the latest in a series of crypto attacks early in 2026. In January, Truebit suffered a $26.6 million loss due to an exploit leveraging a smart contract vulnerability deployed five years earlier. The same month, Makina Finance’s stablecoin pool lost around $5 million after attackers manipulated the protocol’s oracle via flash loans. A report from Immunefi released last week revealed that the average loss from cryptocurrency exploits currently stands at around $25 million, with the top five attacks from 2024–2025 accounting for 62% of all stolen funds.

5. Regulatory Timing: Risks of Yield-Bearing Stablecoins

From a policy perspective, timing is particularly telling, as U.S. lawmakers are actively debating how to regulate yield-bearing stablecoins under the proposed GENIUS Act.

Risk of Bank Deposit Diversion: The American Bankers Association warned that such products could divert deposits away from traditional banks.

Regulatory Consensus: Several key senators reached a “principled agreement” last Friday on how to handle stablecoin yields.

Conclusion:

The Resolv USR stablecoin broke its gold-peg following an attacker’s minting of 80 million uncollateralized tokens and theft of approximately $25 million in ETH, reiterating the urgent need for enhanced DeFi security. This incident not only reveals potential vulnerabilities in high-yield stablecoins related to complex contract design, access control, and auditing practices but also poses a severe challenge to trust mechanisms across the entire DeFi ecosystem.