TL;DR:
- Resolv Labs issued a 72-hour ultimatum to the attacker who stole $25M, offering to let them keep 10% if they return the rest.
- The exploit occurred on March 22: the attacker minted 80 million unbacked USR tokens and converted them into 11,409 ETH.
- The vulnerability originated in a privileged minting role controlled by a single account with no limits or multi-signature authorization.
Resolv LabsĀ issued a public ultimatum to the attacker responsible for the exploit that last Sunday drained approximately $25 million from the protocol. Through anĀ onchain message, the Abu Dhabi-based company offered the individualĀ the option to keep 10% of the stolen fundsĀ in exchange for returning the remaining 90% āapproximately $22.5 million in ETHā along with any USR tokens still under their control.
The established deadline expires on Thursday. Resolv also included an alternative path in the proposal: the attackerĀ may opt for a responsible disclosure scheme, contacting the team by emailĀ to demonstrate that their intervention was the result of a good-faith security investigation.
What Happened to Resolv?
The attack took place in the early hours of Sunday, March 22. The attackerĀ deposited approximately $200,000 in USDCĀ into Resolv’sĀ USR CounterĀ contract and receivedĀ 50 million USRĀ in return. A second transaction allowed them toĀ mint an additional 30 million tokens. The total obtained was exchanged forĀ stablecoinsĀ across various decentralized exchanges and thenĀ converted into 11,409 ETH,Ā according to onchain data.
Analysts determined that the breach originated in aĀ privileged minting role controlled by a single externally owned account, with no maximum issuance limits, no oracle checks, and no multisignature authorization requirement. Resolv acknowledged in its statement that the exploit, though facilitated by a protocol vulnerability,Ā was executed with clear malicious intent and that the unbacked tokens generated represent a risk to the stability of the secondary market.
Protocol Responses and Solutions for Affected Users
Should the deadline pass without compliance,Ā the protocol warned it will escalate its measures: coordination withĀ centralized exchanges, bridges, and infrastructure providersĀ to restrict or freeze the assets, public disclosure of the addresses and transaction traces involved, and collaboration with blockchain analytics firms and law enforcement toĀ initiate legal action.
Resolv Digital Assets Ltd. also announced thatĀ it has enabled redemptions for users who held USR prior to the incident and appeared on the allowlist. Updates for the remaining users, the protocol indicated, will be communicated in the coming hours.
