An attacker breached Resolv's AWS Key Management Service on March 22, 2026. Using the protocol's privileged minting key, the attacker created 80 million unbacked USR stablecoins. Chainalysis estimates $23 million was extracted in ETH.
The smart contract worked exactly as designed. USR, built to hold a $1 peg, crashed to $0.20 on Curve Finance within minutes. It partially recovered to $0.85, then fell again. CoinDesk placed USR at $0.27 on Monday.
Resolv's USR minting uses a two-step process. A user deposits USDC into the USR Counter contract and calls requestSwap. An off-chain service controlled by a privileged key (SERVICE_ROLE) then calls completeSwap to set the mint amount.
The contract enforces a minimum USR output but no maximum. No on-chain ratio check. No price oracle. No cap.
Whatever the SERVICE_ROLE key holder signs gets minted.
SERVICE_ROLE was a single Ethereum EOA (externally owned account). One private key, managed through AWS KMS. AWS KMS keys cannot be exported by default. The attacker likely invoked signing operations through the KMS API rather than extracting raw key material.
The attacker made two swap requests with $100,000 to $200,000 in USDC. SERVICE_ROLE called completeSwap with inflated amounts. Two on-chain transactions minted 50 million and 30 million USR. The total was 80 million USR, nominally $80 million at the $1 peg.
USR was converted into wrapped staked USR (wstUSR), a derivative representing a staking pool share. From wstUSR, the attacker swapped into USDC and USDT across multiple DEXs, then consolidated into ETH. Chainalysis describes the extraction as happening "in a matter of minutes."
The attacker's wallet held ~11,400 ETH (~$24 million) at last report. Roughly 20 million wstUSR (~$1.3 million at depressed prices) remained unsold. Resolv paused the protocol before additional mints could go through.
"The Resolv hack isn't just another exploit — it's a structural failure in how DeFi prices risk," — Kevin Yang, managing partner, Gate Ventures.
Resolv had undergone 18 security audits. None caught the vulnerability because it was not in the smart contract code. Security firm Pashov audited Resolv's staking module in July 2025. Pashov told Cointelegraph the root cause was "a private key compromise" and that better operational security is needed "everywhere in the space."
Smart contract audits examine Solidity logic. They do not assess AWS IAM policies, KMS access controls, or whether one key can mint unlimited tokens. The 18 audits covered 18 iterations of correct code. The architecture around that code had no safety boundary.
The specific design failure is a minting function controlled by a single key with no on-chain upper bound. On-chain caps (maximum mint per transaction, maximum mint per time window), rate limits, timelocks, or multi-signature requirements on completeSwap would have constrained the blast radius even after key compromise. Eighteen audits examined the lock. Nobody checked whether the door had walls, — AnonHaven Editorial Team.
The contagion spread beyond Resolv. DeFi protocols that had integrated USR as collateral or in lending markets saw outflows. According to DL News, several protocols using a curator model, where third-party asset managers create bespoke lending markets, were affected because they had included USR.
Steakhouse Financial, Resolv's risk manager, published an operational overview of the protocol five days before the exploit. DL News reported that the vulnerability had been identified around the same time but did not confirm a connection.
Resolv Labs suspended all protocol functions on March 22, including staking and airdrop claims. Resolv confirmed "minting of approximately $80M" in its X statement. The team stated that the collateral pool "remains fully intact" and that the issue was "isolated to USR issuance mechanics." Resolv has messaged the attacker, offering to drop pursuit in exchange for 90% of the stolen ETH, according to DL News.
Law enforcement and on-chain analytics firms are assisting the investigation. How the attacker compromised AWS KMS remains unknown.
For USR holders and DeFi users evaluating stablecoin protocols, one test matters. If minting is controlled by a single off-chain key with no on-chain cap, the "decentralized" label is architectural fiction. The attacker has not responded publicly to Resolv's 90% return offer.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
