Apart from Resolv being hacked, this type of DeFi vulnerability has occurred four times before.

17 minutes, $100,000 turned into $25 million.

Author: The Defiant

Translation: Deep Tide TechFlow

Deep Tide Guide: This article isn’t just a review of the Resolv vulnerability; it’s about a more troubling issue: the same attack pattern—hardcoded oracles pricing de-pegged stablecoins at $1—has occurred at least four times in the past 14 months. The problem isn’t just a technical bug but a fundamental flaw in the curator model’s incentive structure: risks are borne by depositors, while profits go to curators.

Full Text Below:

On a quiet Sunday morning, someone turned $100,000 into $25 million in about 17 minutes.

The target was the yield-bearing stablecoin protocol Resolv. Before Resolv paused its contracts, its USD-pegged stablecoin USR had fallen to a few cents. As of writing, USR remains severely de-pegged, trading around $0.25, down over 70% this week.

The ripple effects go far beyond Resolv itself. Fluid/Instadapp absorbed over $10 million in bad debt in a single day, while experiencing over $300 million in net outflows—its largest single-day outflow ever. 15 Morpho vaults were affected. Euler, Venus, Lista DAO, and Inverse Finance all paused USR-related markets.

The mechanism that allowed this vulnerability—pricing de-pegged stablecoins at $1 in lending markets—is not new. Over the past 14 months, this has happened at least four times.

How the vulnerability works

USR’s minting process follows a two-step off-chain process: users deposit USDC via requestSwap, then a privileged off-chain signer with the SERVICE_ROLE signs off on the final USR issuance through completeSwap. The contract has a minimum output limit but no maximum cap. Whatever the signer approves, the contract executes.

Attackers gained access to this signer key via Resolv’s AWS Key Management Service. They submitted two USDC deposits totaling roughly $100k–$200k, then used the stolen key to authorize the minting of 80 million USR tokens as a reward. On-chain data shows two transactions minting 50 million USR and 30 million USR, respectively, completed within minutes.

“Resolv USR’s vulnerability isn’t a bug—it’s a feature operating as designed. That’s the real problem,” said on-chain analyst Vadim (@zacodil).

The SERVICE_ROLE is a regular external account address, not a multisig. The admin key is protected by multisig, but the minting key is not.

“Resolv has undergone 18 audits,” Vadim said, “and one of the findings was literally called ‘lack of upper limit’.”

The attacker systematically exited: first converting the minted USR into wstUSR (a staked wrapped version) to slow market impact, then swapping it via Curve, Uniswap, and KyberSwap into ETH. The attacker’s wallet holds about 11,400 ETH (roughly $24 million). The ETH and BTC collateral pools backing the system remain intact despite the stablecoin collapse.

How contagion spreads

The Resolv incident is actually two events layered together: the minting bug and the chain reaction in the lending markets.

When USR and wstUSR collapsed, every lending market accepting them as collateral faced the same problem: their oracles still priced wstUSR close to $1.

Omer Goldberg, founder of risk analytics firm Chaos Labs, documented this mechanism. His key finding: “The oracle is hardcoded and never re-prices. wstUSR is marked at $1.13, but on the secondary market, it trades at about $0.63.”

Traders buy wstUSR cheaply on open markets, then use Morpho or Fluid to borrow USDC against it at the oracle’s $1.13 quote, then exit.

At Fluid, the team arranged short-term loans to cover 100% of the bad debt, promising full compensation to users. At Morpho, co-founder Paul Frambot said about 15 vaults had large exposures, all in high-risk, long-tail collateral strategies.

Renowned curator Gauntlet said, “A few high-yield vaults have limited exposure.”

But D2 Finance directly challenged this, releasing on-chain data showing Gauntlet’s flagship “USDC Core Vault” had allocated $4.95 million to the wstUSR/USDC market. Goldberg later said Gauntlet’s vaults account for 98% of the lending liquidity in that market.

In a written response to The Defiant, Frambot said: “We’ve been exploring how to better present various risks. But we don’t believe the core issue is a lack of labeling.”

He added: “Morpho is oracle-agnostic, meaning it allows curators to choose any oracle they deem suitable for a specific market. It’s open, permissionless infrastructure designed to outsource risk management to curators.”

“It’s difficult to enforce objective ‘correct’ guardrails in all scenarios,” Frambot said. “Imposing constraints at the protocol level also risks hindering legitimate strategies.”

While the underlying protocol leaves risk management to curators, some industry insiders believe curators have not fulfilled their responsibilities.

“I think the design of the curator industry is flawed because there’s no real curation happening,” said Marc Zeller on X.

As of press time, neither Resolv, Gauntlet, nor Fluid responded to requests for comment from The Defiant.

A recurring failure pattern

This isn’t a new attack. In January 2025, Usual Protocol’s USD0++ was hardcoded at $1 in a Morpho vault by curator MEV Capital. Usual then suddenly re-priced its redemption price to $0.87 without warning, locking lenders into MEV Capital’s vault, which saw utilization spike to 100%.

In November 2025, Stream Finance’s xUSD collapsed after curators routed USDC deposits into a leveraged cycle supported by that synthetic stablecoin. When its oracle refused to update, assets worth between $285 million and $700 million on Morpho, Euler, and Silo faced risk. Moonwell experienced two oracle failures in October and November 2025, totaling over $5 million in bad debt.

What this means for the curator model

Morpho’s architecture outsources all risk decisions to third-party “curators,” who build vaults, select collateral, set loan-to-value ratios, and choose oracles. The theory is that professional institutions have deeper expertise, competition improves risk management, and the protocol simply enforces the rules.

But curators rely on generated yields to earn fees, creating incentives to accept higher-risk, higher-yield collateral (like yield-bearing stablecoins). The problem is, when these stablecoins de-peg, losses are borne by depositors, not curators. During the Resolv incident, some automated bots continued injecting funds into affected vaults hours after the breach, deepening losses.

The reason for hardcoding oracles for yield-stablecoins is to prevent short-term volatility from triggering unnecessary liquidations. But this protection only works when the stablecoins stay stable.

Chainalysis, a blockchain analysis firm, said in a post-mortem that real-time on-chain monitoring is needed.

“On-chain smart contracts are functioning perfectly. The problem is clearly in the broader system design and off-chain infrastructure,” the firm stated.