Overview
- Resolv Labs’ USR, a dollar-pegged token, was hit Sunday when an attacker used a compromised signing setup to mint about 80 million coins and the price briefly sank to as low as 2.5 cents on Curve.
- The attacker swapped the illicit USR into stablecoins and then into about 11,409 ETH, leaving roughly $25 million in value now held on-chain.
- Resolv paused all protocol functions, said the collateral pool was not directly drained, burned around 9 million attacker-held USR, and is preparing restricted redemptions for pre-incident holders.
- On-chain analysts traced the root to a privileged role controlled by a single private key, with no oracle checks, no amount validation, and no hard cap on minting, a gap traditional audits often miss because they do not test off-chain key security.
- DeFi platforms such as Lido, Aave, and Morpho moved to limit exposure, while USR holders and liquidity providers absorbed losses as the token traded far below $1 on Monday and investigators and law enforcement track funds.