Resolv Labs has paused all protocol functions after an attacker exploited a flaw in its USR stablecoin minting logic, draining an estimated $23 million to $25 million and sending the token crashing to $0.025 within minutes.
TLDR Keypoints
- $23 million drained: An attacker minted roughly 80 million unbacked USR tokens using only $100,000 to $200,000 in USDC as initial capital, then converted the proceeds to ETH.
- Protocol paused: Resolv Labs confirmed it suspended all protocol operations to prevent further exploitation and is working on recovery.
- USR lost its peg: The stablecoin, designed to hold $1.00, crashed to $0.025 on the Curve Finance USR/USDC pool and currently trades around $0.44, down roughly 56% in 24 hours.
How the $23M Exploit Unfolded
The attacker executed the exploit across two transactions, first minting 50 million USR tokens and then an additional 30 million. Blockchain security firm PeckShield confirmed both minting events independently, totaling roughly 80 million unbacked tokens with a face value of $80 million.
The initial capital required was remarkably small. The attacker used only an estimated $100,000 to $200,000 in USDC to initiate the minting process, exploiting a vulnerability in the USR Counter contract's minting function that lacked adequate validation.
Once minted, the attacker converted the USR tokens to USDC and USDT, then swapped aggressively into ETH across multiple protocols. The entire sequence, from first mint to USR price collapse, took just 17 minutes. Earlier reporting on the suspected USR exploit had flagged the initial 50 million token mint before the full scale of the attack became clear.
Resolv Labs responded by pausing all protocol functions. "The team has currently paused all the protocol functions to prevent further malicious actions and is actively working on recovery," the team stated. Resolv Labs also claimed its collateral pool "remains fully intact" and that no underlying assets were lost, though this claim has not been independently verified through on-chain analysis.
A Single Key Controlled a Critical Role
Cyvers CEO Deddy Lavid identified the root cause as an architectural failure. "A basic Externally Owned Address controlled a critical 'service role' within the protocol instead of relying on a secure multisignature contract," Lavid told BeInCrypto. "Every protocol interaction must be continuously monitored."
DeFi analytics firm D2 Finance outlined three possible attack vectors: the oracle was gamed, the off-chain signer was compromised, or the amount validation between request and completion was simply missing. A definitive postmortem from Resolv Labs has not yet been published.
Security researchers and the broader DeFi community have characterized the incident as architectural negligence rather than a sophisticated attack. The use of a single EOA to control a critical minting role in a production stablecoin protocol, without multisig protection or mint-amount limits, represents a basic security gap.
USR Depeg: From $1.00 to $0.025 in Minutes
The flood of unbacked tokens into the market caused USR to lose its dollar peg almost instantly. On the Curve Finance USR/USDC pool, the stablecoin crashed to a low of $0.025, a drop of more than 97% from its intended $1.00 peg.
At the time of writing, USR trades around $0.44, still roughly 56% below its peg. The token's 24-hour trading volume surged to $19.5 million as holders rushed for the exits, while its market capitalization sits at approximately $77.6 million.
The depeg represents a direct loss for USR holders who sold during the crash. Even as Resolv Labs claims its backing collateral is intact, the mismatch between the inflated token supply and the unchanged collateral base means USR cannot currently be redeemed at par.
Resolv's total value locked on Ethereum had already declined from a peak of roughly $568 million in mid-January 2025 to around $115 million before the exploit, according to DeFiLlama data. The post-exploit figure is likely significantly lower. This kind of TVL erosion preceding a major security incident mirrors patterns seen in other DeFi protocol failures, a trend that has contributed to broader challenges across the crypto industry in 2026.
What Comes Next for Resolv Labs and Affected Users
The protocol pause remains in effect with no announced timeline for resumption. Resolv Labs has stated it is "actively working on recovery," but has not disclosed whether that means patching the contract, negotiating with the attacker, or pursuing a compensation plan for affected users.
No official postmortem or incident report has been published. Whether an audit has been commissioned or a white-hat bounty negotiation is underway remains unclear. The attacker's converted ETH holdings have not been reported as returned or frozen.
For USR holders, the practical situation is that tokens cannot be redeemed while the protocol is paused. Resolv Labs' claim that the collateral pool is intact suggests potential for recovery, but until the inflated USR supply is addressed and the minting vulnerability is patched, the path back to a $1.00 peg remains uncertain. As governments worldwide continue to reevaluate their approach to crypto regulation, incidents like this add pressure on DeFi protocols to adopt stronger access controls on critical functions.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.