Resolv DeFi Breach Results in $24.5 Million Theft and Minting of $80 Million of Uncollateralized USR
Published
Key Takeaways
- Massive stablecoin exploit: A malicious actor utilized a compromised private key to illicitly mint $80 million in uncollateralized USR tokens.
- Market value collapse: Following the Resolv DeFi breach, the USR stablecoin severely depegged from the U.S. dollar, plummeting to approximately 26 cents.
- Bounty negotiation initiated: Developers offered the attacker a 10% reward to return the remaining $24.5 million in stolen crypto within 72 hours.
A severe cyberattack on DeFi infrastructure has resulted in a $24.5 million loss for the decentralized finance platform Resolv, which announced on Monday afternoon that it is temporarily pausing its app to contain the impact of the incident. The attacker deposited a minimal amount of USDC but bypassed authorization limits to illicitly mint approximately 80 million USR tokens.
Analyzing the Stablecoin Exploit
The Resolv DeFi breach occurred when a threat actor successfully compromised a private key governing the protocol's off-chain minting infrastructure. “Earlier today, a malicious actor gained unauthorized access to Resolv infrastructure through a compromised private key, resulting in the minting of approximately $80M of uncollateralized USR,” Resolv Labs announced on X on March 22.
This was possible because minting approvals depend on another service that relies on a private key to approve the USR creation limit, but the company’s system did not enforce a maximum minting limit following the hack, according to Chainalysis, cited by The Record.
Because the system lacked a hard-coded maximum minting threshold for the compromised administrative key, the attacker successfully converted the unbacked assets into 11,408 ETH, effectively draining $24.5 million in liquidity.
The immediate market impact of this stablecoin exploit was catastrophic, causing the USR token to depeg from the U.S. dollar and is now worth only cents.
Mitigating the Cyberattack on DeFi
In response, Resolv temporarily paused decentralized application functionalities and halted trading to contain the financial contagion. Currently, Season 4 airdrop claims are temporarily unavailable, while staking and unstaking of RESOLV tokens are temporarily inaccessible.
The platform's developers issued an on-chain ultimatum to the attacker on March 23, offering a 10% white-hat bounty if the funds are returned, while simultaneously preparing to engage law enforcement and centralized exchanges to freeze the illicit assets.
In 2024, the Lazarus hackers exploited a Google Chrome zero-day in a fake DeFi game Attack.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular