A DeFi platform’s stablecoin has depegged and plunged more than 70% in value after an attacker exploited a compromised private key to mint $80 million in uncollateralized tokens. Resolv Labs’ USR stablecoin lost its peg to the U.S. dollar on Sunday following the breach, with the attacker successfully extracting roughly $25 million in actual value through various DeFi protocols.
The attack represents a significant security failure for the protocol and highlights ongoing vulnerabilities in how some DeFi platforms manage critical infrastructure. According to Resolv Labs’ statement, the incident involved unauthorized access to company infrastructure through a compromised private key, which enabled the attacker to bypass normal safeguards and create fake USR tokens out of thin air.
The attacker’s method was straightforward but effective. They minted approximately 80 million USR tokens that had no collateral backing them. The hacker then converted the unbacked USR into a staked version called wstUSR before swapping it into other stablecoins and ultimately into Ethereum, according to analysis from blockchain forensics firm Chainalysis.
This cash-out strategy followed what crypto fund D2 Finance called a “textbook DeFi hacking cash-out path.” The attacker sent USR in batches to multiple liquidity protocols while prioritizing large sell-offs, a technique that allowed them to move $25 million in stolen value before the protocol could respond.
The root cause of the vulnerability lies in how Resolv Labs structured its minting process.
According to reports, the protocol relied on an “off-chain service that used a privileged private key to sign off on how much USR could be created.” Critically, the smart contract itself imposed no maximum limit on USR minting, leaving the system vulnerable if that private key were ever compromised.
Data platform RootData’s analysis suggests the attack method may have also involved “manipulated oracles” or “leaked off-chain signer keys,” though the exact scope of the vulnerability remains under investigation.
In response to the exploit, Resolv Labs immediately paused all protocol functions to prevent further damage. The team has already burned approximately $9 million in USR tokens in an effort to “reduce the potential impact” of the circulating unbacked supply.
The platform is now working with law enforcement and on-chain analytics firms to identify the hackers responsible and track down the stolen funds. Resolv Labs stated it is preparing to enable redemptions for “pre-incident USR,” beginning with allowlisted users, though specific timelines remain unclear.
The incident is the latest in a troubling series of DeFi security breaches.
In recent weeks, Solana protocol Step Finance decided to wind down operations entirely after suffering a $29 million hack. Meanwhile, an oracle error left DeFi lender Moonwell with $1.8 million in bad debt.
These recurring incidents underscore persistent challenges in DeFi security, particularly around the management of private keys and the design of critical system components. While blockchain technology itself is immutable, the human and infrastructure layers surrounding it remain vulnerable to attack.
See also: FTC Forces Nomad Bridge Operator to Repay $186M After Hack Exposed Security Failures
The crash in USR value has likely impacted users holding the stablecoin, as the token traded at significantly below its $1 peg following the exploit. CoinGecko data showed USR dropped more than 74% from its intended value, making it impossible for holders to redeem their tokens at face value during the initial chaos.
Resolv Labs has not yet provided a full timeline for when normal protocol operations will resume or detailed redemption procedures for affected users. The team’s focus appears to be on containing the damage, working with law enforcement, and recovering stolen funds rather than rushing to restore service.
For users with exposure to USR, the situation remains uncertain. The platform’s decision to allow redemptions only for pre-incident USR means some users may face losses depending on when they acquired their tokens and what balance of the unbacked supply actually gets recovered.
If you’re reading this, you’re already ahead. Stay there, by joining the…
Discover more from Dipprofit
Subscribe to get the latest posts sent to your email.
