Stablecoin USR Suddenly Crashes and Depegs! Resolv Reveals "Minting Vulnerability" Exploited by Hackers, Who Steal $25 Million

According to reports from multiple on-chain security firms, DeFi protocol Resolv was attacked on Sunday through a vulnerability. Hackers minted 80 million uncollateralized stablecoins USR at extremely low cost, quickly sold them off, and successfully cashed out about $25 million. This not only caused a severe decoupling of USR’s price but also triggered a domino effect in the lending market.

The attack occurred around 10:21 AM on March 22. On-chain data shows that the hacker first deposited 100,000 USDC into Resolv’s smart contract but received as much as 50 million USR in return, a ratio 500 times higher than normal. Subsequently, the hacker, encouraged by this, minted an additional 30 million USR through a second transaction.

USR from @ResolvLabs is trading at one cent, someone minted 50m USR with $100k USDChttps://t.co/qc8gTLDx7w pic.twitter.com/fXtjZgxzQk

— YAM 🌱 (@yieldsandmore) March 22, 2026

As a stablecoin claiming to be pegged 1:1 with the US dollar, USR’s operation does not rely on traditional fiat reserves. Instead, it maintains its value through a delta-neutral hedging strategy using Ethereum and Bitcoin to offset price fluctuations.

According to data from DEX Screener, after the initial minting, USR’s price in the highly liquid Curve Finance pool plummeted to $0.025 within just 17 minutes. Although it briefly rebounded to around $0.85, it has yet to recover to the $1 peg at the time of writing.

Sophisticated Money Laundering by Hackers, Official Claims “Collateral Pool Intact” Sparks Debate

After the attack, the hacker (wallet address starting with 0x04A2) quickly exchanged the minted USR for USDC and USDT on major DEXs, then converted all to Ethereum. On-chain data shows the hacker’s wallet now holds up to 11,409 ETH, worth approximately $23.7 million.

Following the incident, Resolv Labs posted a statement on social platform X, saying the team has paused all protocol functions, emphasizing that “the collateral pool remains fully intact,” with no underlying assets lost, and classified the incident as a “simple bug in the USR issuance mechanism.”

We are currently investigating a security incident involving unauthorized minting of USR.

At this stage:

The collateral pool remains fully intact. No underlying assets have been lost.

The issue appears isolated to USR issuance mechanics.

Our immediate priority is to:

1)…

— Resolv Labs (@ResolvLabs) March 22, 2026

Lack of Proper Permission Controls

Despite the official attempt to downplay the impact, security experts are skeptical. On-chain analyst Andrew Hong pointed out that the vulnerability stemmed from the “SERVICE_ROLE” privileged account responsible for handling exchange requests. Shockingly, such a critical permission was controlled by a single external account (EOA, a single wallet) rather than a more secure multisignature setup. Even more concerning, the minting contract lacked oracle price verification, quantity checks, or even a “mint cap.”

DeFi investment fund D2 Finance listed three possible causes: malicious oracle manipulation, compromise of off-chain signers, or the absence of amount verification between mint requests and execution. YieldsAndMore, the first to expose the incident, lamented that a protocol with such a significant fund size as Resolv lacked basic security safeguards for core management permissions.

Deddy Lavid, CEO of blockchain security firm Cyvers, stated: “This is where the real risks of stablecoins surface. Relying solely on periodic smart contract audits is far from enough. Without real-time monitoring of token minting and supply, the team is essentially blind when a crisis hits.”

Unforeseen Disaster! Invisible Inflation Ravages Retail Investors, Domino Effect Impacts Lending Markets

Although Resolv’s official statement claims the collateral pool is “fully intact,” this underestimates the damage. On-chain analysts pointed out that the attack was not a direct “theft” from the treasury but a more covert “supply inflation” tactic. The 80 million newly minted tokens instantly diluted the existing circulating value, and the hacker’s dumping drained liquidity pools. This meant that investors holding USR at the time saw their assets ruthlessly devalued in an instant.

The chaos quickly spread to other DeFi lending markets. Since USR and its derivatives are accepted as collateral by many lending platforms (such as Morpho, Gauntlet), speculators seized the opportunity to buy USR at low prices, then borrow large amounts of USDC using the system’s fixed “1 USR = 1 USD” pricing. This “free money” operation drained the liquidity of lending pools.

Once Funded with Tens of Millions and Subjected to 14 Top Audits, Now Falling from Grace

Before the attack, Resolv’s funds had already been shrinking. USR’s market cap dropped from a peak of $400 million in early February to about $100 million prior to the incident.