Resolv USR Exploit: Why One Off-Chain Key Broke the Peg

Resolv USR exploit was not a typical smart-contract-bug story. On March 22, an attacker with a compromised privileged key minted about 80 million unbacked USR against only roughly $100,000 to $200,000 in USDC, extracted about $23 million to $24.5 million in value, and broke the peg within minutes.

The exploit path was fast, simple, and expensive

Chainalysis says the attacker began with a relatively small USDC deposit and then used a compromised signing path to mint roughly 80 million USR, far beyond what the deposit should have allowed. CertiK’s reconstruction says the minting happened over two transactions and names a set of exploiter-linked addresses, including 0x8ED8cF0C…b81C. On Etherscan, that address is labeled “Resolv Exploiter 2” and, at the time of reporting, still held 11,408.85 ETH, worth about $24.3 million on the explorer’s live pricing.

Chainalysis exploit reconstruction

Resolv exploiter address on Etherscan

Resolv’s own public statement said a malicious actor gained unauthorized access to Resolv infrastructure through a compromised private key, that the collateral pool remained intact, and that the issue was limited to unauthorized minting rather than loss of the underlying reserve assets. The team paused the protocol on the day of the exploit. In a later public update, Resolv said about 46 million of the 80 million illicitly minted USR had been permanently removed from circulation and warned users not to trade USR or related tokens while recovery measures were still being implemented. That means the incident is no longer just a drain event; it is now a recovery and liability-management problem.

Resolv’s initial incident statement

Resolv’s supply-reduction update

The off-chain key failed, but the contract design made the blast radius much larger

The contract evidence shows why one compromised key could turn into money printing. On Etherscan, Resolv’s USR Counter contract exposes a completeSwap function gated by onlyRole(SERVICE_ROLE). That function accepts _targetAmount, calculates a fee from that amount, mints the requested swap token for the contract, and then transfers the net amount to the requesting provider. The key point is what is missing: the contract code shown on Etherscan does not enforce an on-chain maximum output tied to the user’s deposited collateral. It trusts the privileged role to pass the right number.

USR Counter contract on Etherscan

That architecture made the off-chain signer the real monetary authority. Chainalysis says the contract only checked that a valid authorization existed; it did not enforce a maximum mint limit itself. CertiK goes further and attributes the compromise to Resolv’s AWS Key Management Service environment, saying the attacker obtained access to the private key for the EOA that held SERVICE_ROLE. Resolv itself has publicly confirmed the compromised private key and unauthorized infrastructure access, but in the sources reviewed here it has not yet published a full technical post-mortem naming AWS KMS. The narrow point is still clear: once the trusted signer was gone, issuance controls were gone with it.

CertiK incident analysis

Stablecoins break when supply controls fail, even if reserves are still there

Resolv’s first public message emphasized that the collateral pool remained intact. That may be true in reserve-accounting terms, but markets do not price a stablecoin only on the condition of the reserve wallet. They price the credibility of redemption and the expected ratio between liabilities and realizable backing. Once 80 million unbacked USR hit secondary markets, the peg became a confidence problem before it became a reconciliation problem.

stablecoin exploit→coverage/categories/web3-fraud-files

The market data shows how violent that transition was. CoinGecko’s USR page reports an all-time low of $0.1419 and a current price around $0.1649 at the time of reporting, more than 80% below par. Chainalysis and other reporting describe the attacker swapping minted USR through wstUSR into stablecoins and then ETH, which is the path that turns an issuance flaw into realized economic loss. In a design like this, the exploiter does not need to redeem directly against reserves. They only need enough DEX and market depth to offload the synthetic supply before the system pauses. That is why “the collateral is intact” stops being enough comfort once issuance has been decoupled from hard on-chain limits.

USR market data on CoinGecko

Multisig would have helped, but it would not have fixed the real design error

This is where many post-mortems stop too early. It is tempting to say the answer was simply “use multisig.” That is incomplete. If the protocol had put admin powers like pause and upgrade behind multisig but still allowed one service key to finalize arbitrary mint amounts, the stablecoin would still have had a single point of monetary failure. Even a threshold signer can fail if the thing being approved is opaque, or if signers are only checking that a request looks normal rather than that it is mathematically bounded by collateral and policy.

The real missing control was not just more signatures. It was enforceable invariants. The on-chain contract should have rejected any mint amount that exceeded the deposited value under a defined pricing rule, daily issuance cap, or per-request ceiling. Signatures should have been bound to exact deposit amounts, assets, and expiry windows rather than just to an authorization pathway. Key management should then have added another layer: threshold signing, strict KMS policy separation, hardware-backed isolation, and anomaly-driven auto-pauses. Chainalysis argues that real-time on-chain monitoring and automated response are the last line of defense once off-chain assumptions fail. The contract code shows why that line was necessary here: the signer could ask for almost any _targetAmount, and the contract would do the rest.

USR Counter contract on Etherscan

What stablecoin builders and integrators should change now

The Resolv exploit is a warning for any protocol whose economic policy lives in backends, signer services, or cloud access policies. Builders should ask a hard question: where does the final “no” live? If the answer is “in our backend,” the protocol is not really trust-minimized at the monetary layer. For minting systems, the contract itself has to enforce supply bounds, not just authenticate who requested issuance. That means collateral-linked maximums, rate limits, delayed settlement for abnormal size jumps, and emergency brakes that trigger on anomalous mint volumes.

off-chain key management in DeFi→ /news/offchain-key-management-defi

Integrators should adjust their own standards too. Listing or using a stablecoin should require more than audit counts and reserve language on a docs page. They should look for on-chain issuance caps, documented role separation, threshold controls around signer infrastructure, and a clearly tested kill-switch path. Resolv’s latest public update shows partial containment by removing roughly 46 million illicit USR from circulation, but the exploiter-linked ETH remains visible on-chain and the token is still far below par. That is the final lesson: once unbacked supply reaches the market, recovery is much harder than prevention.

Resolv’s supply-reduction update

Resolv may still publish a fuller remediation plan or reimbursement framework, but the broader signal is already visible. Stablecoin issuance cannot rely on off-chain trust plus on-chain obedience; if one signer can print, that signer is the central bank, and a key compromise becomes a peg failure.

• Resolv Labs — Official incident statement — https://x.com/ResolvLabs/status/2035830314799599616
• Resolv Labs — Update on illicitly minted USR supply reduction — https://x.com/ResolvLabs/status/2037110361711870214