An attacker exploited a vulnerability in Resolv's USR stablecoin minting contract on Sunday, creating approximately 80 million unbacked tokens and extracting roughly $25 million, according to multiple blockchain security firms.

The attack began around 2:21 a.m. UTC. The X account YieldsAndMore was the first to flag the incident, posting Etherscan transaction data showing that the attacker deposited 100,000 USDC into Resolv's USR Counter contract and received 50 million USR in return, roughly 500 times the expected amount. A second transaction minted an additional 30 million USR.

USR is a dollar-pegged stablecoin that uses a delta-neutral hedging strategy backed by ETH and BTC rather than fiat reserves. The token dropped to $0.025 on its most liquid Curve Finance pool within 17 minutes of the first mint, per DEX Screener. It later recovered to around $0.85 but had not restored its peg as of Sunday morning.

The attacker, operating from an address beginning with 0x04A2, swapped the minted USR for USDC and USDT across decentralized exchanges, then converted the proceeds into ETH. The attacker's wallet address holds 11,409 ETH worth about $23.7 million at time of publication, per blockchain data. Another wallet address identified as belonging to the attacker holds about $1.1 million worth of wstUSR tokens. 

In its statements on X, Resolv Labs said it had paused all protocol functions and that its collateral pool "remains fully intact" with "no underlying assets" lost. The team called the issue "isolated to USR issuance mechanics."

Analysts point to weak access controls

Onchain analyst Andrew Hong attributed the breach to the protocol's SERVICE_ROLE, a privileged account that completes swap requests. That role was controlled by a standard externally owned account (EOA) rather than a multisig. The minting contract lacked oracle checks, amount validation, and maximum mint limits.

DeFi fund D2 Finance outlined three possible explanations: the oracle was manipulated, the off-chain signer was compromised, or amount validation between a mint request and its completion was simply absent. YieldsAndMore echoed that analysis and noted the administrative role lacked guardrails expected of a protocol Resolv's size.

"This is exactly where stablecoin risk becomes real," Deddy Lavid, CEO of onchain security firm Cyvers, told The Block. "Audits alone are not enough, if you’re not monitoring minting and supply in real time, you’re blind when it matters most."

"This ties in to a growing trend of attacks that are focusing on the blind spot of security teams - sensitive keys and credentials that do not hold the funds directly, but can be used to access the funds," Ido Sofer, CEO of key management firm Sodot, told The Block. 

USR holders face steep losses

Though Resolv's claim that its collateral pool "remains fully intact" is technically accurate, the assertion understates the damage. As onchain analysts noted, the attack took the form of supply inflation rather than a direct theft of backing assets. The 80 million new tokens diluted existing supply, and the attacker's selling obliterated pool liquidity. Anyone holding USR at the time faced immediate losses.

The depeg also cascaded into DeFi lending markets. USR and its staked derivative wstUSR were accepted as collateral on platforms including Morpho and Gauntlet. Opportunistic traders may have bought USR at its discounted market price and borrowed USDC against it at the hardcoded $1 valuation, draining stablecoin liquidity from those vaults. D2 Finance flagged that Gauntlet-curated vaults on Morpho were among those affected.

The damage may extend to Resolv's junior tranche as well. YieldsAndMore noted that the Resolv Liquidity Pool (RLP), which serves as an insurance layer absorbing losses to protect USR holders, had roughly $38.6 million in circulation at pre-exploit prices. The largest RLP holder is Stream Finance, the yield protocol that disclosed a $93 million loss in Nov. 2025 after an external fund manager misappropriated assets. 

Stream holds a 13.6 million RLP position on Morpho representing approximately $17 million in net exposure, meaning its depositors could face yet another significant loss, per YieldsAndMore. 

The exploit struck a protocol that was already shedding value. USR's market cap had fallen from approximately $400 million in early February to roughly $100 million before the attack, per CoinMarketCap data. The RESOLV governance token has fallen in price about 8.5% over the past 24 hours, following the exploit. 

The Abu Dhabi-based Resolv raised a $10 million seed round in April 2025 led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, Arrington Capital, and Animoca Ventures. Incubated through Delphi Labs, it offered yield through funding rate arbitrage and a dual-tranche system pairing USR with a risk-bearing insurance layer called RLP.

Resolv's website touts 14 audit engagements from five firms, a $500,000 Immunefi bug bounty, and continuous smart contract monitoring. Resolv did not immediately respond to a request for comment from The Block. 

Exploit adds to a growing 2026 DeFi hack tally

The Resolv incident is the latest in a series of crypto exploits in early 2026. In January, Truebit lost $26.6 million after an attacker targeted a vulnerability in a smart contract deployed five years ago. That same month, Makina Finance lost roughly $5 million from a stablecoin pool after an attacker used a flash loan to manipulate the protocol's oracle. An Immunefi report published last week found the average crypto hack now costs about $25 million, with the top five exploits in 2024-2025 accounting for 62% of all stolen funds.

The timing is also notable from a policy perspective, as U.S. lawmakers are actively debating how to regulate yield-bearing stablecoins under the GENIUS Act. The American Bankers Association has warned that such products could draw deposits away from traditional banks, and key senators reached an "agreement in principle" on stablecoin yield treatment on Friday.