Resolv Labs Burns 36.7 Million in Hacked USR Following $34 Million Exploit

Resolv Labs destroyed 36.73 million USR stablecoins held by an attacker through a contract upgrade on April 6, 2026, following a March exploit in which a compromised key allowed the attacker to mint 80 million unbacked USR tokens with less than $200,000 in initial collateral and dump approximately 34 million USR for 11,409 ETH (worth roughly $24.5 million).

The incident has left the protocol facing an estimated net loss of approximately $34 million, despite Resolv Labs claiming its collateral pool remains intact.

Attacker Exploited Off-Chain Minting Key to Print Unbacked USR

The exploit stemmed from a critical failure in Resolv’s USR minting flow. A single attacker, using a compromised service key in a two-step off-chain minting process, was able to generate 80 million uncollateralized USR tokens. The attacker then dumped approximately 34 million USR across DeFi liquidity pools, extracting about 11,409 ETH (valued at approximately $24.5 million). The remaining USR held by the attacker was later destroyed by Resolv Labs through a contract upgrade, removing about 46 million USR from the attacker’s address in total.

The incident caused USR to lose its peg, crashing as low as $0.14 before partially rebounding to the $0.23–$0.27 range. On-chain analysis firms estimated attacker profits between $23 million and $25 million as the token depegged on Curve and other liquidity pools.

Resolv Labs Uses Contract Upgrade to Burn Hacker’s Holdings

Approximately one hour before the announcement, Resolv Labs executed a contract upgrade that destroyed 36.73 million USR held by the attacker’s address. The team has removed a total of about 46 million USR from the attacker’s address through the upgrade. However, the value already extracted in ETH—approximately 11,409 ETH (worth about $24.48 million)—remains at address 0x8ED…81C, leaving the protocol facing a real economic hit of around $34 million.

In its post-mortem, Resolv Labs stressed that its collateral pool “remains intact” despite the exploit-driven mint of 80 million USR. However, liquidity providers and leveraged users across integrated protocols absorbed price slippage and forced unwinds. The protocol had paused operations following the exploit and rolled out a recovery plan.

DeFi Key Management Risks Highlighted by USR Exploit

The USR exploit has become a case study in DeFi key management failures, drawing comparisons with other recent stablecoin failures and lending-market contagion. Chainalysis described the incident as a case where an attacker was able to mint tens of millions of unbacked stablecoins and extract roughly $23 million in value, highlighting how a compromised service key in an off-chain minting process can cascade into systemic losses.

The episode underscores how privileged controls can both enable and mitigate catastrophic failures in nominally decentralized systems. For traders and investors, the incident revives long-standing questions over whether yield-bearing stablecoins can scale without introducing single points of failure. DeFi protocols with composable stablecoins now face renewed pressure to harden minting logic, rotate keys, and treat backend infrastructure with the same rigor as audited smart contracts.

FAQ

How did the Resolv Labs exploit occur?

The attacker compromised a service key in Resolv’s two-step off-chain minting process, allowing them to mint 80 million unbacked USR tokens with less than $200,000 in initial collateral. The attacker then dumped approximately 34 million USR for 11,409 ETH (about $24.5 million) before Resolv burned the remaining holdings through a contract upgrade.

What was the financial impact of the exploit?

The attacker extracted approximately 11,409 ETH worth about $24.5 million. Resolv Labs faces an estimated net loss of approximately $34 million, despite burning 36.73 million USR held by the attacker. The USR stablecoin depegged, falling as low as $0.14 before partially recovering.

What measures did Resolv Labs take after the exploit?

Resolv Labs paused operations, rolled out a recovery plan, and used a contract upgrade to destroy 36.73 million USR held by the attacker. The team removed approximately 46 million USR from the attacker’s address. The protocol stated that its collateral pool remains intact despite the exploit.