Skip to content
Tech News
← Back to articles

The Resolv hack: How one compromised key printed $23M

2026-03-23 | original
read original get YubiKey Security Key → more articles
Why This Matters

The Resolv hack highlights the growing risks in DeFi due to reliance on off-chain infrastructure and privileged keys, demonstrating how security vulnerabilities outside the blockchain can lead to massive financial losses. This incident underscores the importance of robust on-chain threat detection and secure key management to protect users and maintain trust in decentralized finance systems.

Key Takeaways

On March 22, 2026, the Resolv DeFi protocol became the latest example of how quickly things can unravel in DeFi when security assumptions fail. In a matter of minutes, an attacker was able to mint tens of millions of Resolv’s unbacked stablecoins (USR) and extract roughly $23 million in value, triggering a sharp de-peg and forcing the protocol to halt operations.

At first glance, this might look like another smart contract exploit. But it wasn’t. The code worked exactly as intended.

Instead, it was a case of overly trusting off-chain infrastructure. As DeFi systems become more complex and use more external services, privileged keys, and cloud infrastructure, the attack surface expands far beyond the blockchain itself.

In this post, we’ll look at what happened and what the impact was. We’ll also explore how when off-chain components are compromised, only real-time, on-chain threat detection and response mechanisms can act as the critical final line of defence and make the difference between a contained incident and a multi-million dollar exploit.

What happened, in a nutshell

The attacker started by depositing a relatively small amount (around $100K–$200K in USDC) and used it to interact with Resolv’s USR stablecoin minting system. Normally, users deposit USDC and receive an equivalent amount of USR in return. However, in this case, the attacker was able to mint around 80 million USR tokens, far beyond what their deposit should have allowed.

This was possible because minting approvals depended on an off-chain service that used a privileged private key to sign off on how much USR could be created. Unfortunately, the smart contract itself did not enforce any maximum limit on minting – it only checked that a valid signature existed.

After minting the unbacked USR, the attacker quickly converted it into a staked version (wstUSR), then gradually swapped it into other stablecoins and eventually into ETH. By the end of the attack, they had extracted approximately $25 million in ETH. The sudden flood of unbacked USR into the market also caused the token’s price to drop by around 80%.

With the outcome known, let’s take a quick look at how the minting design made this hack possible.

How Resolv’s token minting is supposed to work

... continue reading

Explore topics: resolv defi stablecoins smart contract off-chain
Related:
Hacker Mints $80M USD Worth of USR Stablecoins
Attacker Exploits Crypto Stablecoin for a $25 Million Payday
US trade deficit hits a record $1.2 trillion as AI hardware imports surge under the Trump administration — massive demand for chips from Asia outpaces domestic production, fueling a 60% increase in imports in 12 months
I see why this Linux distro is the dream pick for gamers and content creators
Apple acquires popular video editing software company MotionVFX

© 2026 GoKawiil

About | Editorial Policy | Contact