Stablecoin USR Suddenly Crashes and Depegs! Resolv Reveals "Minting Vulnerability" Exploited by Hackers, Who Steal $25 Million

According to reports from multiple on-chain security firms, DeFi protocol Resolv was attacked on Sunday through a vulnerability. Hackers minted 80 million uncollateralized stablecoins USR at extremely low cost, quickly sold them off, and cashed out approximately $25 million. This not only caused a severe decoupling of USR’s price but also triggered a domino effect in the lending market.

The attack occurred around 10:21 AM on March 22. On-chain data shows that the hacker first deposited 100,000 USDC into Resolv’s smart contract but received up to 50 million USR in return, a ratio 500 times higher than normal. Subsequently, the hacker, emboldened by this, minted an additional 30 million USR through a second transaction.

USR from @ResolvLabs is trading at one cent, someone minted 50m USR with $100k USDC pic.twitter.com/fXtjZgxzQk

— YAM 🌱 (@yieldsandmore) March 22, 2026

As a stablecoin claiming to be pegged 1:1 with the US dollar, USR’s operation does not rely on traditional fiat reserves. Instead, it maintains its value through delta-neutral hedging strategies using Ethereum and Bitcoin to offset price volatility.

According to data from DEX Screener, after the initial minting, USR’s liquidity pool on Curve Finance plummeted from its peak, dropping to $0.025 within just 17 minutes. Although it briefly rebounded to around $0.85, it had not yet recovered to the $1 peg at the time of writing.

Sophisticated Money Laundering by Hackers, Official Claims “Collateral Pool Intact” Sparks Debate

After the attack, the hacker (wallet address starting with 0x04A2) quickly exchanged the minted USR for USDC and USDT on major DEXs, then converted all to Ethereum. On-chain data shows the hacker’s wallet now holds up to 11,409 ETH, worth approximately $23.7 million.

Following the incident, Resolv Labs posted a statement on social platform X, saying the team has paused all protocol functions, emphasizing that “the collateral pool remains fully intact,” with no underlying assets lost, and classified the incident as a “simple USR issuance mechanism vulnerability.”

We are currently investigating a security incident involving unauthorized minting of USR.

At this stage:

The collateral pool remains fully intact. No underlying assets have been lost.

The issue appears isolated to USR issuance mechanics.

Our immediate priority is to:

1)…

— Resolv Labs (@ResolvLabs) March 22, 2026

Lack of Proper Permission Controls

Despite the official attempt to downplay the impact, security experts are skeptical. On-chain analyst Andrew Hong pointed out that the attack vector stemmed from a privileged account called “SERVICE_ROLE,” responsible for handling exchange requests. Shockingly, this critical permission was controlled by a single external account (EOA, a single wallet) rather than a more secure multi-signature setup. Even more concerning, the minting contract lacked oracle price verification, quantity checks, and even a “mint cap.”

DeFi investment fund D2 Finance listed three possible causes: malicious oracle manipulation, compromised off-chain signers, or the absence of amount verification between mint requests and execution. YieldsAndMore, the first to expose the incident, lamented that a protocol like Resolv, with significant funds, lacked basic security safeguards for core management permissions.

Blockchain security firm Cyvers CEO Deddy Lavid stated, “This is where the real risks of stablecoins surface. Relying solely on periodic smart contract audits is far from enough. Without real-time monitoring of token minting and supply, the team is essentially blind when a crisis hits.”

Unexpected Disaster! Invisible Inflation Ravages Retail Investors, Domino Effect Hits Lending Markets

Although Resolv’s official claim that the collateral pool is “fully intact” is technically true, this statement underestimates the damage. On-chain analysts pointed out that the attack was not a direct “bank robbery,” but a more covert “supply inflation” tactic. The 80 million newly minted tokens instantly diluted the existing circulating value, and the hacker’s dumping drained liquidity pools. This meant that investors holding USR saw their assets instantly devalued.

The chaos quickly spread to other DeFi lending platforms. Since USR and its derivatives are accepted as collateral by many lending protocols (such as Morpho and Gauntlet), opportunistic traders bought USR at low prices and used the platforms’ fixed $1 valuation to borrow large amounts of USDC. This “free money” operation drained the lending pools’ liquidity.

Once Funded with Tens of Millions and Undergoing 14 Top Audits, Now Falling from Grace

Before the attack, Resolv’s funds had already been shrinking. USR’s market cap, which peaked at $400 million in early February, had fallen to around $100 million just before the incident.