Resolv’s USR stablecoin has unraveled following a major exploit, leaving the protocol deeply undercollateralized and its dollar peg effectively broken.
The platform holds roughly $95 million in assets against $173 million in liabilities, placing it in a state of functional insolvency. USR is now trading near $0.27, down about 72% over the past week.
The attack occurred around 2:21 a.m. UTC on Sunday, when a vulnerability in the minting contract was exploited. The attacker generated nearly 80 million unbacked USR tokens across two transactions and siphoned off around $25 million, according to onchain data and blockchain security firms.
Those funds were quickly moved through decentralized exchanges, with the attacker swapping USR into USD Coin and Tether before converting the proceeds into Ethereum. The attacker currently holds approximately 11,409 ETH—valued at about $23.7 million—alongside $1.1 million in wrapped USR in a separate wallet.
USR, which relies on a delta-neutral hedging strategy backed by ETH and BTC, saw its price collapse to $0.025 within minutes on its most liquid pool on Curve Finance. Although it briefly rebounded to around $0.85, it has failed to recover its peg and remains under heavy pressure.
Deeper issues beneath the exploit
Resolv initially attributed the incident to a compromised private key and a targeted infrastructure breach. However, further analysis revealed more fundamental design flaws.
At the center of the issue was the SERVICE_ROLE, a privileged function within the minting contract responsible for processing swaps. This role was controlled by a single externally owned account instead of a multi-signature wallet. Additionally, the contract lacked critical safeguards such as oracle checks, minting limits and transaction validation.
This allowed the attacker to deposit just 100,000 USDC and receive 50 million USR in return—roughly 500 times the expected amount—without triggering any checks.
Ido Sofer, founder of Sodot, said such centralized control points often become overlooked vulnerabilities. He noted a growing trend of attackers targeting sensitive credentials—like developer keys and API access—that don’t directly custody funds but can still enable exploits.
Falling TVL and uncertain path forward
According to DeFiLlama, Resolv’s total value locked peaked near $684 million in February 2025 before declining steadily to around $95 million ahead of the exploit, reflecting weakening confidence in the protocol.
Resolv said it is working with law enforcement and blockchain analytics firms to track the stolen funds and explore recovery options. The team has also advised users to avoid trading USR during this period, warning that post-exploit activity could impact recovery efforts.
With liabilities far exceeding assets and trust significantly damaged, restoring USR’s peg remains a steep challenge.
