Resolv's USR stablecoin breaks peg after exploit mints 80M unbacked tokens and siphons about $25M in ETH

Resolv's USR stablecoin suffered a sharp depegging after attackers exploited a flaw in its minting system, creating roughly 80 million unbacked tokens and extracting about $25 million in ETH. The incident has renewed concerns about DeFi access-control risks and the fragility of yield-oriented stablecoin designs. Exploit timeline and market impact Blockchain security researchers said the attack began around 02:21 UTC on March 22, 2025. The X account YieldsAndMore first flagged the activity, citing Etherscan data showing the attacker deposited 100,000 USDC into Resolv's USR Counter contract and received 50 million USR—about 500x more than expected. A second transaction minted another 30 million USR. USR, marketed as a dollar-pegged stablecoin using a delta-neutral hedging strategy and backed by crypto assets such as ETH and BTC rather than fiat reserves, quickly unraveled. DEX Screener data shows USR fell to $0.025 within 17 minutes in its most liquid Curve Finance pool. It later rebounded to around $0.85, but the $1 peg had not been restored by Sunday morning. Funds flow and attacker wallets Onchain data indicates an address beginning with 0x04A2 swapped newly minted USR for USDC and USDT on decentralized exchanges, then converted proceeds into ETH. As of publication, the primary wallet held 11,409 ETH worth about $23.7 million. A separate wallet attributed to the attacker held wstUSR tokens valued at about $1.1 million. Resolv Labs response Resolv Labs said on X that it suspended all protocol functions. The team claimed the collateral pool remained "completely intact" with "no loss of underlying assets," adding the issue was "limited to the USR issuance mechanism." What went wrong: privileged minting and weak controls Analysts tied the incident to a privileged minting pathway with inadequate safeguards. Chain analyst Andrew Hong pointed to the protocol's SERVICE_ROLE, used to fulfill swap requests, as the weak link. The role was controlled by a standard externally owned account (EOA) rather than a multisignature setup, and the minting contract lacked oracle checks, amount validation, and maximum mint limits. D2 Finance outlined three plausible drivers: oracle manipulation, compromise of offchain signers, or missing validation between mint requests and completion. YieldsAndMore said governance and monitoring controls appeared insufficient for the protocol's scale. Cyvers CEO Deddy Lavid told The Block: "Relying solely on audits is not enough—if you don't monitor minting and supply in real time, you're blind at the most critical moments." Why holders still lose even if collateral remains Even if the collateral pool itself was not directly drained, the attack functioned as a supply-inflation event. Minting 80 million new tokens diluted existing holders and the ensuing sell pressure damaged liquidity, creating immediate losses for anyone holding USR during the event. The depeg also rippled into DeFi lending venues. USR and its staked derivative wstUSR have been accepted as collateral on platforms including Morpho and Gauntlet. Traders buying discounted USR and borrowing USDC at a fixed $1 valuation could have further drained stablecoin liquidity in affected vaults. D2 Finance said Gauntlet-managed Morpho vaults were among those impacted. Losses may extend to Resolv's subordinate layer. The Resolv Liquidity Pool (RLP), positioned as an insurance layer to absorb losses and protect USR holders, had about $38.6 million circulating at pre-exploit prices. YieldsAndMore said Stream holds 13.6 million RLP shares with net exposure of around $17 million, suggesting depositors could face additional damage. Market metrics and token reaction CoinMarketCap data shows USR's market cap had already slid from about $400 million in early February to roughly $100 million before the exploit. Following the incident, the RESOLV governance token fell about 8.5% over the past 24 hours. Company background and broader hack context Resolv raised a $10 million seed round in April 2025 led by Cyber.Fund and Maven11, with Coinbase Ventures, Arrington Capital, and Animoca Ventures participating, and support from Delphi Labs as an incubator. Resolv's website says it completed 14 audit projects across five companies, set up a $500,000 Immunefi bug bounty, and runs ongoing smart contract monitoring. The event adds to a growing list of DeFi exploits. In January, Truebit lost $26.6 million after attackers abused a smart contract vulnerability deployed five years earlier. Also in January, Makina Finance's stablecoin pool lost about $5 million after attackers manipulated an oracle via flash loans. An Immunefi report released last week put the average loss per crypto hack at around $25 million, with the five largest incidents between 2024 and 2025 accounting for 62% of total stolen funds. Regulatory backdrop: yield-bearing stablecoins in focus The timing coincides with U.S. lawmakers debating how to regulate yield-bearing stablecoins under the GENIUS Act. The American Bankers Association has warned these products could pull deposits away from traditional banks. Several key senators reached a "principle agreement" last Friday on how to address stablecoin yields. Bottom line Resolv's USR depegged after an attacker minted about 80 million unbacked tokens and siphoned roughly $25 million in ETH, underscoring how privileged roles, weak access control, and insufficient real-time controls can destabilize high-yield stablecoin structures and strain trust across the DeFi ecosystem.