Resolv (USR) Hack: $23 Million Stolen, DeFi Has Learned Nothing

📋 En bref (TL;DR)

$23 million stolen: the DeFi protocol Resolv fell victim to a massive hack on March 22, 2026, after the compromise of a private key stored on AWS.
80 million USR tokens minted without collateral: the hacker exploited the minting function to generate tokens with only $300,000 in USDC deposits — a 266-to-1 ratio.
The USR stablecoin collapsed to $0.025 on secondary markets, triggering a contagion effect across multiple DeFi protocols including Morpho and Fluid.
Risk curators under fire: automated allocation systems from Gauntlet and others continued injecting funds into broken markets for hours.
Resolv issued a 72-hour ultimatum to the hacker, offering a 10% bounty ($2.5M) for the return of funds — a conditional recovery strategy that has become commonplace.
This hack echoes the Stream Finance breach ($93M lost in November 2025), proving that DeFi has learned nothing from its previous disasters.

Resolv: anatomy of a $23 million hack

On Sunday, March 22, 2026, the DeFi protocol Resolv suffered one of the most significant hacks of the year. An attacker compromised a critical private key, enabling them to mint 80 million USR tokens with no real backing, and to extract approximately $23 million within hours.

Resolv is a protocol that issues the USR stablecoin, normally backed by real assets to maintain its peg to the dollar. The mechanism relies on a minting system (token creation) controlled by signing keys. In theory, every USR issued corresponds to an equivalent deposit of collateral. In practice, a single compromised key was enough to bring the entire structure crashing down.

One private key, one single point of failure

The attacker managed to access Resolv’s AWS Key Management Service (KMS) environment, compromising the SERVICE_ROLE key — a privileged key that controlled token minting permissions. Here’s the chilling detail: while the protocol’s pause function was protected by a 4-signature multisig, token creation depended on a single EOA (Externally Owned Account) address.

In other words, it took four people to press the emergency button, but a single key was enough to print money. A questionable architectural choice, to say the least.

With this key in hand, the hacker manipulated the protocol’s completeSwap() function. By depositing only 300,000 USDC, they generated 80 million USR tokens in two transactions (50 million then 30 million) — a 266-to-1 ratio that immediately broke the stablecoin’s peg. This mechanism had no on-chain verification of the ratio between deposited collateral and minted tokens: validation relied entirely on off-chain signatures.

The cascade: from depeg to DeFi contagion

Once 80 million USR were created from nothing, the attacker converted them into wstUSR (wrapped staked USR), then swapped them for stablecoins and ETH across multiple decentralized exchange pools. Their wallet accumulated approximately 11,400 ETH, worth roughly $24 million.

The immediate impact: the USR stablecoin, supposed to be worth $1, collapsed to $0.025 on secondary markets — a drop of over 97%. Liquidity providers on Curve Finance suffered approximately $17 million in losses.

But the hack didn’t stop there. The attacker exploited the fact that certain lending protocols used stale price oracles for USR. By purchasing massively devalued USR on the open market, they deposited them as collateral on platforms like Morpho and Fluid, where their price was still considered to be $1. They then borrowed healthy assets (USDC, ETH) against worthless collateral — a technique known as a “Donation Attack.”

The contagion toll is heavy:

Morpho: $6.2 million in bad debt, 96% of which was in vaults managed by Gauntlet
Fluid: $11 million in exposure (later covered by the team and investors)
Curve Finance: approximately $17 million in losses for liquidity providers
Inverse Finance: losses limited to $340,000 thanks to a rapid market pause within 15 minutes

Risk curators in the dock

This hack highlights a structural problem in today’s DeFi: the role of risk curators. These entities — Gauntlet, Steakhouse Financial, Re7, MEV Capital — are supposed to evaluate protocols and manage fund allocation in yield vaults. They present themselves as rigorous supervisors.

The problem? Steakhouse Financial had published a positive assessment of Resolv’s institutional rigor just five days before the hack. Even more concerning, after the attack, automated allocation systems from multiple curators continued injecting funds into clearly compromised markets for hours. Paul Frambot, founder of Morpho, identified 15 affected vaults with significant USR exposure.

Inverse Finance stands as the exception and shows what should have happened everywhere: rapid human intervention, market pause within 15 minutes, and limited losses. The difference between $340,000 and $17 million in losses comes down to response speed.

An ultimatum and unanswered questions

On Monday, March 24, Resolv Labs issued a 72-hour ultimatum to the hacker, offering a 10% bounty — approximately $2.5 million — in exchange for the return of the remaining funds. This type of public negotiation has become a standard crisis management playbook in DeFi, although its success rate remains low.

This hack is disturbingly reminiscent of the Stream Finance collapse in November 2025, where $93 million was lost and the xUSD stablecoin dropped 75%. At the time, the DeFi community engaged in lengthy debates about curator responsibility and the need to impose protective mechanisms such as “first-loss capital” (senior capital absorbing losses).

Six months later, nothing has changed. The same vulnerabilities exist, the same mistakes are being repeated. DeFi continues to operate on a model where security relies on trust in individual private keys, where on-chain verifications are optional, and where risk curators bear no financial responsibility when their assessments prove wrong.

Three takeaways for investors

First, never consider a stablecoin risk-free. USR was presented as a stable asset backed by reserves. Within hours, it was worth just 2.5 cents. Diversifying across multiple stablecoins and protocols remains the best protection.

Second, look at how keys are managed. A protocol whose critical functions (minting, fund management) rely on a single private key presents systemic risk. Favor protocols that require a multisig for all sensitive operations and that have undergone recent security audits.

Third, be wary of high yields on newer protocols. Resolv offered attractive rates that drew billions of dollars in TVL. The higher the yield, the more the underlying risk deserves scrutiny. Asking yourself “where does the yield come from?” remains the fundamental reflex of every DeFi investor.

Glossary

Minting

The process of creating new tokens on a blockchain. In the case of a stablecoin, minting is normally conditional on the deposit of equivalent collateral (dollars, crypto assets) to guarantee the token’s peg.

Multisig (multi-signature)

A security mechanism that requires multiple signatures (different private keys) to authorize a transaction. For example, a 3/5 multisig requires the approval of 3 out of 5 people to validate an operation, reducing the risk associated with a single key being compromised.

Oracle

A service that provides external data (such as an asset’s price) to smart contracts on the blockchain. A stale or faulty oracle can allow an attacker to exploit discrepancies between an asset’s real price and the price recognized by a protocol.

On-chain

Describes an operation or piece of data recorded directly on the blockchain, making it publicly verifiable and immutable. In contrast, “off-chain” verifications occur outside the blockchain and depend on trust in a third party.

Risk Curator

A specialized entity that evaluates DeFi protocols and manages fund allocation in yield vaults. Curators like Gauntlet or Steakhouse Financial are supposed to protect depositors by analyzing the risks of each protocol.

Depeg

The loss of a stablecoin’s parity with its reference value (typically $1). A depeg can be temporary (a few hours) or permanent, and causes losses for all token holders and protocols using it as collateral.

Frequently Asked Questions

What is the Resolv hack and how much was stolen?

On March 22, 2026, an attacker compromised a private key from the DeFi protocol Resolv, enabling them to mint 80 million USR tokens without collateral. They then converted these tokens into ETH and stablecoins, extracting approximately $23 million. The USR stablecoin collapsed from $1 to $0.025, causing additional losses across multiple connected DeFi protocols.

How was the hacker able to mint USR tokens without collateral?

The attacker compromised the SERVICE_ROLE key stored on AWS KMS, which controlled the minting function. The main vulnerability was the absence of on-chain verification of the ratio between deposited collateral and minted tokens. The protocol relied solely on off-chain signatures, meaning a single compromised key was enough to bypass all protections.

Which DeFi protocols were affected by the contagion?

Several lending protocols suffered indirect losses: Morpho ($6.2M in bad debt), Fluid ($11M in exposure), and Curve Finance (approximately $17M in losses for liquidity providers). Protocols using stale price oracles for USR were particularly vulnerable, as the attacker was able to deposit devalued USR as collateral at its nominal value.

How can DeFi investors protect themselves against this type of hack?

Three essential habits: diversify across multiple stablecoins and protocols to limit exposure to a single point of failure; check protocol governance (a multisig for critical functions is a minimum); and always ask where the promised yield comes from. Favor recently audited protocols that publish transparent security reports.

Sources

This article is based on the following sources:

Chainalysis — The Resolv Hack: How One Compromised Key Printed $23 Million (March 22, 2026)
Protos — Resolv hack shows DeFi learned nothing from last contagion (March 23, 2026)
Journal du Coin — Resolv (USR): Revelations on the $25 million attack and the protocol’s ultimatum (March 24, 2026)

How to cite this article: “Resolv (USR) Hack: $23M Stolen, One Compromised Key Was Enough,” Fibo Crypto, March 25, 2026.