Resolv USR exploit let attacker mint 80 million unbacked tokens
Resolv Labs said its USR stablecoin protocol was exploited after an attacker abused a flaw in the minting contract to create about 80 million unbacked USR in two transactions. The unauthorized minting broke the token’s dollar peg and sent USR sharply lower, with onchain data showing the stablecoin fell as low as $0.025 on Curve before partially recovering. The attacker reportedly withdrew about $25 million, swapping the illicitly minted USR into USDC and USDT on decentralized exchanges before converting the proceeds into ETH.
Onchain analysts said the incident appeared to stem from a deeper architectural weakness rather than only a compromised private key, pointing to a single externally owned account holding the privileged SERVICE_ROLE and a minting system that lacked oracle checks, amount validation, and maximum mint limits. One reported path allowed a deposit of 100,000 USDC to mint 50 million USR. Resolv said it is working with law enforcement and blockchain analytics firms, warned users not to trade USR during recovery efforts, and said it would pursue asset recovery as the attacker was reported to still hold 11,409 ETH and about $1.1 million in wrapped USR.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Resolv pledges 1:1 redemptions for all pre-exploit USR holders
In its first public recovery update, Resolv said 98% of whitelisted USR holders had already been redeemed at a 1:1 ratio and promised the same treatment for non-whitelisted holders who held USR before the exploit once the process is finalized. The company said recovery remained unresolved for post-depeg buyers, liquidity providers, and RLP holders.
Resolv offers hacker 10% bounty to return stolen ETH within 72 hours
During its recovery response, Resolv publicly offered the attacker 10% of the stolen ETH in exchange for returning the remaining funds within 72 hours. The company said it would otherwise coordinate with exchanges, law enforcement, blockchain analytics firms, and legal counsel to pursue recovery.
Resolv discloses incident and begins recovery and law enforcement response
Resolv Labs said it was working with law enforcement and onchain analytics firms to investigate the exploit and pursue asset recovery. The company also warned users not to trade USR while recovery efforts were underway.
Resolv depeg triggers bad debt and emergency actions across DeFi lenders
As USR lost its peg, lending protocols that continued valuing USR or wstUSR near $1 suffered cascading bad debt and emergency pauses. Fluid/Instadapp reportedly absorbed more than $10 million in bad debt and saw over $300 million in outflows, while Morpho, Euler, Venus, Lista DAO, and Inverse Finance were also affected.
Attacker cashes out roughly $25 million and USR sharply depegs
After minting the tokens, the attacker swapped the illicit USR into USDC and USDT on decentralized exchanges and converted the proceeds into ETH, extracting roughly $25 million. The unauthorized minting caused USR to lose its dollar peg, falling as low as $0.025 before partially recovering.
Attacker exploits Resolv minting contract to create 80 million unbacked USR
An attacker abused a flaw in Resolv's USR stablecoin minting system, using privileged access and weak validation controls to mint about 80 million unbacked USR in two transactions. Onchain analysis indicated the issue stemmed from an architectural weakness around a single externally owned account holding the SERVICE_ROLE, not just a simple private key compromise.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Resolv Co-Founder Pledges 1:1 Redemptions for All Pre-Exploit USR Holders - "The Defiant"
thedefiant.io
Open sourceHacker walks away with $24.5 million after breaching Resolv DeFi platform | The Record from Recorded Future News
therecord.media
Open sourceResolv stablecoin crashes 70% as attacker extracts $25 million in ETH
coindesk.com
Open sourceDeFi Has Seen Resolv's $25M USR Exploit Many Times Before - "The Defiant"
thedefiant.io
Open sourceAttacker exploits Resolv USR stablecoin to mint 80 million tokens, cashes out $25M: Resolv Labs - "The Defiant"
thedefiant.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Stablecoin Issuers Resolv Labs and StablR Hit by Minting Exploits and Depegs
Resolv Labs and StablR suffered separate stablecoin security incidents that triggered sharp depegs after attackers abused token minting controls. Reporting on the Resolv incident said an attacker minted millions of tokens, undermining confidence in the protocol and pushing the stablecoin off its peg, while a later technical review described the event as a hack tied to failures around minting security. In StablR’s case, attackers exploited the issuer’s minting contract after what on-chain investigators said was likely a compromised key in a `1-of-3` minting multisig, causing both **EURR** and **USDR** to trade more than 20% below their intended values. Loss estimates in the StablR breach varied widely, with Blockaid putting theft near **$2.8 million** and other researchers, including RedStone Oracles co-founder Marcin Kazmierczak and PharosWatch, estimating closer to **$10 million**. The stolen funds were reportedly routed through Circle’s Cross-Chain Transfer Protocol on Noble, and StablR confirmed the exploit while saying it was working to contain the incident; no final recovery plan or definitive loss total had been released at the time of reporting. Together, the incidents highlight how compromise of minting authority can rapidly inflate supply, drain backing, and destabilize fiat-pegged crypto assets.
May 25, 2026
Verus-Ethereum Bridge Exploit Drains $11.6 Million and Halts Network
An exploit against the **Verus-Ethereum bridge** drained about **$11.58 million** in crypto assets, according to reports from Blockaid, PeckShield, and GoPlus. PeckShield said the attacker stole **103.6 tBTC, 1,625 ETH, and 147,000 USDC**, then swapped the proceeds into roughly **5,402 ETH**; the attacker wallet was reportedly seeded with **1 ETH from Tornado Cash**. Security researchers also identified attacker and destination wallets as the theft unfolded. Verus said its network was **halted**, with most block-producing nodes taking themselves offline after the attack’s effects appeared, while developers investigated the root cause and recovery options. GoPlus said the exploit may stem from **cross-chain message validation or signature forgery**, a **withdrawal logic bypass**, or an **access control flaw** in the bridge, which was launched to move assets between the privacy-focused Verus blockchain and Ethereum.
May 25, 2026
Humanity Protocol Compromise Let Attackers Seize Admin Keys and Mint $H
Humanity Protocol disclosed that attackers compromised an employee laptop and recovered enough private keys to take administrative control of key contracts, drain funds, and mint large amounts of **$H**. The project and outside investigators said the breach was **not** caused by a smart contract flaw; it stemmed from operational security weaknesses, including multiple multisig signer keys being accessible from a single device and the lack of a timelock on `ProxyAdmin`-controlled upgrades. Quantstamp tied the initial access to a spear-phishing email sent to director Chong Yee Wai, and the malware activity was described as consistent with DPRK tradecraft. On-chain analysis and public reporting estimated at least **447 million $H** were affected in the acknowledged attack path, while some researchers reported substantially larger mint activity on BSC and questioned gaps in the project’s disclosures. The incident triggered a sharp token-price collapse, forced bridge shutdowns, and left the BSC contract under attacker control, prompting reviews by ZachXBT, PeckShield, Specter, Beosin, SlowMist, and QuillAudits. Humanity later published an incident update and began recovery measures, including a new Ethereum token, a snapshot-based airdrop, and a claims portal that requires identity verification for compensation.
Jun 16, 2026