Crypto News

Resolv Labs: The USR Stablecoin Loses Its Peg After an $80 Million Hack

By Telemac

Share

Resolv Labs: The USR Stablecoin Loses Its Peg After an $80 Million Hack — Here’s What You Need to Know

Sunday, March 22, 2026 — An attacker exploited a critical vulnerability in the Resolv USR stablecoin contract, generating 80 million tokens from scratch and withdrawing at least $25 million before the protocol was paralyzed. The incident has shaken the DeFi community and reignited the debate over the security of algorithmic stablecoins.

Introduction

Sunday, March 22, 2026 will remain etched in the memory of cryptocurrency investors. Within a few hours, the Resolv Labs protocol — specializing in synthetic dollar-backed assets — suffered one of the most sophisticated attacks of the year. A hacker managed to mint 80 million USR tokens (Resolv USD), a stablecoin supposed to maintain a rigid parity with the US dollar, and convert a substantial portion of this loot into real assets.

The result? The price of USR plummeted to 2.5 cents on some liquidity pools before painfully climbing back to around 87 cents — a devaluation of nearly 13% against its historic $1 peg.

On social media, panic was palpable. The X account « yieldsandmore » was the first to raise the alarm: « USR has just collapsed. On-chain data shows that an attacker managed to mint 50 million USR by depositing just $100,000 of USDC. » A few minutes later, blockchain security firm PeckShield confirmed: the attacker had actually minted 80 million USR across two separate transactions.

Timeline of a Disaster

02:21 UTC — First Alert

It all began at 02:21 UTC on Sunday morning. On-chain surveillance systems spotted a suspicious transaction on Ethereum: a user deposited 100,000 USDC into the Resolv contract and received in return 50 million newly minted USR — a ratio that makes absolutely no economic sense.

The X account « yieldsandmore » published an alert thread: « Something is wrong with the USR contract. The attacker minted 50 million tokens from a 100k USDC deposit. This is an exploit, not a bug. »

02:28 UTC — Second Wave of Attack

Seven minutes later, PeckShield confirmed that a second transaction had minted an additional 30 million USR. The total of fraudulently created tokens thus reached 80 million — for an initial cost of only $100,000. The attacker achieved an 800x multiplier on his initial investment in a matter of minutes.

02:38 UTC — Price Collapses on Curve Finance

This was the most spectacular moment. On Curve Finance — the most liquid stablecoin swap protocol for USR — the price of USR dropped to 2.5 cents, representing a 97.5% loss against the dollar. On other platforms, USR traded as low as 50 cents, translating into a loss of half its face value.

Data from DEX Screener shows that the USR/USDC pool on Curve had a 24-hour volume of only $3.6 million before the incident. With 80 million USR injected into the market within minutes, available liquidity was simply insufficient to absorb the shock.

03:00 UTC — Resolv Labs Responds

Resolv Labs published a statement on X: « We experienced an exploit that allowed an attacker to mint 50 million unsecured USR. The team has currently paused all protocol functions to prevent further malicious actions and is actively working on recovery. »

The statement did not explain how the attacker circumvented the contract’s control mechanisms. But blockchain security experts were already piecing together the attack scenario.

How the Attack Worked

D2 Finance, a crypto fund that analyzes transactions in real time, published a detailed analysis of the incident. According to the firm, three scenarios could explain the vulnerability:

  1. Oracle Manipulation: Oracles are the mechanisms that allow smart contracts to determine the real price of assets. If the attacker manipulated the price of USR on reference sources, they could have minted tokens at an artificially low price, maximizing their profit.
  2. Off-Chain Signer Compromised: Resolv Labs likely uses an off-chain signer system to approve certain critical operations. If this signer’s private key was stolen, the attacker had full control over token creation.
  3. Missing Amount Validation: This is the most likely scenario. According to D2 Finance: « The minting function on the USR contract was simply broken. Validation between the amount requested and the amount executed was simply missing. »

In other words, the smart contract did not properly verify that the quantity of tokens requested matched the quantity actually allocated. The attacker exploited this flaw to claim far more USR than they should have received.

This hypothesis is particularly concerning as it suggests a fundamental development error — not a complex cryptographic vulnerability, but a basic oversight in the contract logic.

The Cash-Out: « Textbook DeFi Hack »

Once the 80 million USR was in hand, the attacker simply had to convert them into real assets. And that’s when things got even worse.

D2 Finance describes the playbook as « a textbook DeFi hack running at full speed »:

  1. Transfer to multiple DeFi protocols: The first 50 million USR was split across various lending and swap protocols to maximize available liquidity.
  2. Swap against USDC and USDT: The attacker used decentralized exchanges (DEXs) to exchange USR for the most liquid stablecoins: USDC and USDT.
  3. Aggressive conversion to Ether (ETH): Within a few hours, the bulk of the loot was converted to ETH, the most widely accepted crypto asset.
  4. Estimated damage: D2 Finance estimates the attacker extracted approximately $25 million from the Resolv ecosystem before the protocol was suspended.

Implications for the Ecosystem

Loss of Trust in Stablecoins

The Resolv Labs incident is the latest in a long series of exploits targeting stablecoins. In February 2026, crypto hacks declined sharply ($49 million lost versus $385 million in January), but attacks on DeFi protocols remain particularly devastating when they affect assets supposed to be « stable. »

A stablecoin that loses its peg destabilizes the entire edifice of decentralized finance. Millions of users rely on these assets as an intra-ecosystem safe haven, as collateral for loans, or as a trading instrument. When a stablecoin behaves like a volatile asset, the entire system is thrown into uncertainty.

The Regulatory Response

This incident occurs in a particularly charged context for cryptocurrency regulation in the United States. The SEC had just published a new digital asset taxonomy on the previous Tuesday, explicitly classifying stablecoins as a distinct category separate from financial securities. This classification is generally welcomed by the industry, as it excludes stablecoins from the securities regulatory framework.

But the Resolv Labs case raises fundamental questions: how can regulators guarantee the stability of stablecoins if such elementary security flaws allow value to be created from thin air?

The CFTC, for its part, published guidelines on the use of cryptocurrencies as collateral in derivatives markets on the previous Friday (March 21). These rules specify that stablecoins used as collateral should only represent a 2% capital charge — but only if they meet certain safety and liquidity criteria. Would a protocol like Resolv Labs, whose stablecoin contract could be bypassed with $100,000 and a few transactions, be considered sufficiently safe by regulators? The question remains open.

Technical Analysis: Why Synthetic Stablecoins Remain Fragile

Resolv USR is neither a classic algorithmic stablecoin nor a fully backed stablecoin. It is what is called a synthetic stablecoin — it uses a combination of real collateral (USDC, for example) and algorithmic mechanisms to maintain its peg.

This hybrid architecture is supposed to offer the best of both worlds: the stability of an asset backed by real reserves, and the flexibility of a market mechanism to adjust supply. In practice, these systems are often more complex to secure than simpler protocols.

The fundamental problem highlighted by this incident: the minting function was « broken. » In a properly designed DeFi protocol, the creation of new tokens must be rigorously limited and verified:

  • The amount requested must correspond to the guaranteed amount
  • Price oracles must be protected against manipulation
  • Emergency mechanisms (circuit breakers) must be able to trigger automatically
  • Security audits must cover the most common attack vectors

Clearly, at least one of these safeguards failed at Resolv Labs.

Market Impact

The Price of USR

After hitting a low of 2.5 cents on Curve, USR stabilized at around 87 cents at the time of writing — a 13% discount to the dollar. This is better than the 2.5-cent collapse trough, but far from the $1 peg.

For USR holders hoping to recover their full investment, the situation is worrying. Unlike previous incidents (such as the TerraUSD depeg in 2022), Resolv Labs has not yet announced a reimbursement plan.

The Wider Market

The incident did not have a major impact on broader crypto markets at the time of publication. Bitcoin (BTC) and Ether (ETH) remained stable, largely ignoring the event. This suggests that institutional investors and major market players do not view this exploit as a systemic risk — at least not in the short term.

However, second-round effects could be felt in the coming days:

  • A reassessment of risks associated with smaller DeFi protocols
  • Pressure on regulators to tighten security requirements for stablecoins
  • A flight of liquidity providers toward more battle-tested protocols

Lessons for the Industry

Audits and Formal Verification

The Resolv Labs case is a stark reminder of the importance of security audits for DeFi protocols. Firms like Trail of Bits, OpenZeppelin, and Certik offer in-depth audits of smart contracts, but many protocols choose to skip this step for cost or time reasons.

Yet auditing the minting function of a stablecoin should be considered non-negotiable. It is quite literally the function that allows value to be created from nothing — and therefore the primary target of attackers.

Transparency of Reserves

Centralized stablecoins like USDC and USDT publish regular attestations of their bank reserves. Decentralized protocols like Resolv Labs have no such obligation, making it difficult for users to know whether every USR token in circulation is truly backed.

The industry is slowly moving toward stricter transparency standards, but the Resolv incident shows we have not yet arrived.

Automated Safety Mechanisms

A modern DeFi system should be equipped with circuit breakers — mechanisms that automatically halt suspicious operations before they can cause massive damage. In Resolv’s case, the team had to intervene manually to suspend the protocol, which took several hours during which the attacker was able to cash out his winnings.

Conclusion

The exploitation of the Resolv USR stablecoin is a painful reminder that decentralized finance remains a young industry with major technological risks. Within 17 minutes, an attacker managed to create $80 million in tokens, dump them on the market, and disappear with at least $25 million in profits.

For the crypto community, the incident raises fundamental questions:

  • Is smart contract security sufficient to manage billions of dollars in assets?
  • Are synthetic stablecoins viable in the long term, or does their complexity make them inherently more vulnerable?
  • What can regulators do to prevent this type of incident without stifling innovation?

For Resolv Labs users and USR holders, the time is one of waiting. The team has suspended the protocol, frozen minting functions, and promises a resolution. But at this stage, no one can guarantee that lost funds will be recovered.

Stay informed, stay cautious, and never invest more than you can afford to lose.

Sources: Cointelegraph, PeckShield, D2 Finance, DEX Screener, Resolv Labs (@ResolvLabs on X), CoinGecko

Telemac
Telemachttp://cryptoinfo.ch

Contenu [hide]

Lire la Suite

Articles