Resolv stablecoin plunges 70% after attacker drains $25 million in ETH
Resolv’s USR stablecoin has effectively broken its dollar peg after a major exploit exposed deep structural flaws in the protocol, leaving it severely undercollateralized.
The system currently holds about $95 million in assets against $173 million in liabilities, rendering it functionally insolvent. USR is now trading at roughly $0.27, down 72% over the past week—far from its intended $1 value.
The incident unfolded around 2:21 a.m. UTC on Sunday, when an attacker exploited a vulnerability in Resolv’s minting contract. By leveraging the flaw, the attacker created approximately 80 million unbacked USR tokens across two transactions and extracted about $25 million, according to blockchain security firms and onchain data.
The attacker quickly swapped the newly minted USR into USD Coin and Tether on decentralized exchanges, before converting the proceeds into Ethereum. The funds now sit in wallets holding roughly 11,409 ETH—valued at about $23.7 million—along with an additional $1.1 million in wrapped USR.
USR, which relies on a delta-neutral strategy backed by ETH and BTC, saw its price collapse to as low as $0.025 within minutes on its most liquid pool on Curve Finance. Although it briefly rebounded to around $0.85, it has failed to regain its peg and continues to trade at distressed levels.
Structural flaws exposed
Initial statements from the Resolv team attributed the breach to a compromised private key and targeted infrastructure attack. However, onchain investigators later identified deeper architectural issues.
At the center of the problem was the SERVICE_ROLE—a privileged function in the minting contract responsible for processing swaps—which was controlled by a single externally owned account rather than a multi-signature setup. The contract also lacked basic safeguards, including oracle price checks, mint limits, and validation controls.
This allowed the attacker to deposit just 100,000 USDC and receive 50 million USR in return—roughly 500 times the expected amount—with no mechanism in place to flag the discrepancy.
Ido Sofer, founder of Sodot, noted that such privileged keys often become overlooked vulnerabilities. He highlighted a broader trend of attackers targeting sensitive credentials that don’t directly hold funds but can still grant critical access, including developer keys and API credentials.
Declining reserves, uncertain recovery
According to DeFiLlama, Resolv’s total value locked peaked near $684 million in February 2025 before steadily declining to about $95 million ahead of the exploit—signaling weakening confidence even before the attack.
The Resolv team said it is coordinating with law enforcement and blockchain analytics firms to trace and recover the stolen funds. It also warned users against trading USR during the recovery phase, noting that post-exploit activity could impact restitution efforts.
With liabilities far exceeding assets and confidence severely shaken, restoring the stablecoin’s peg appears increasingly difficult.
Share this content:













