TL;DR:
- Resolv suffered an exploit that allowed minting 80 million USR tokens without backing, draining around $23 million in Ethereum from the protocol.
- The attacker compromised private keys from the key management system in AWS and bypassed oracle controls and maximum minting limits.
- The USR token lost more than 80% of its value and at least 15 vaults on Morpho with exposure to the asset recorded considerable losses.
On Sunday, March 23, 2026,Ā ResolvĀ suffered one of the most significantĀ exploitsĀ of the year in the DeFi ecosystem. An attacker exploited a flaw in theĀ minting systemĀ of the protocol’s native stablecoin,Ā USR, to generateĀ 80 million tokens without real collateral backing. The operation allowed them toĀ drain approximately $23 million in EthereumĀ before the team could suspend mint and redemption functions.
The attack vector did not reside in the delta-neutral logic that underpins USR’s design, but in theĀ compromise of private keysĀ from the key management service hosted on Amazon Web Services. According to Chainalysis, the attackerĀ used between $100,000 and $200,000 in collateralĀ to generate the tokens, implying a fraudulent issuance ratio of up toĀ 500 times the legitimate amount. The minting contractĀ lacked oracle verification and maximum issuance limits, which facilitated the operation.
Resolv: A Cascading Impact Nobody Could Contain
The USR token, designed to maintain parity with the dollar,Ā crashed to $0.02 within minutes of the first anomalous mint. Although it partially recovered ground, it continued trading well below its peg for hours.Ā The RESOLV governance token fell 8.5% in 24 hours.
The damage spread rapidly to interconnected protocols.Ā Morpho, which operates under a curators model that manages vaults with their own parameters, received one of the hardest blows.Ā At least 15 vaults with more than $10,000 in liquidity recorded direct lossesĀ from exposure to USR or related assets. CuratorsĀ Gauntlet, Re7 Labs, kpk, and 9summitsĀ operated pools with that exposure. In some cases, automated liquidity provision systemsĀ remained active for hours after the exploit, compounding the damage. Merlin Egalite, co-founder of Morpho, clarified that the base protocol’s contractsĀ presented no vulnerabilities.
LidoĀ confirmed thatĀ funds in Lido Earn were not affected. Stani Kulechov, founder of Aave, noted that the protocol had no direct exposure to USR.Ā Deddy Lavid, CEO ofĀ Cyvers, delivered a pointed remark about the incident: “If you’re not monitoring minting and supply in real time, you’re blind when it matters most.”
The Resolv exploit illustrates thatĀ fourteen audits and a $500,000 bug bounty programĀ on Immunefi prove insufficient if the operational management of private keys and controls over privileged roles are not held to the same standard.
