Exchange 200,000 for nearly 100 million, DeFi stablecoin attacked again

Null

Written by: Eric, Foresight News

Around 10:21 AM Beijing time today, Resolv Labs, which issued the stablecoin USR using the Delta neutral strategy, was hacked. An address starting with 0x04A2 minted 50 million USR tokens by using 100,000 USDC from the Resolv Labs protocol.

As the incident was revealed, USR price dropped to around $0.25, then rebounded to about $0.8 by the time of writing. The RESOLV token price also briefly fell nearly 10%.

Subsequently, the hacker repeated the process, again using 100,000 USDC to mint 30 million USR tokens. With USR significantly de-pegged, arbitrage traders quickly acted. Many lending markets supporting USR, wstUSR, and other collateral on Morpho have been almost drained, and Lista DAO on BNB Chain has paused new borrowing requests.

The impact extends beyond these lending protocols. In Resolv Labs’ design, users can also mint an RLP token, which is more volatile and yields higher returns but requires bearing compensation if the protocol incurs losses. Currently, the circulating supply of RLP is nearly 30 million, with the largest holder, Stream Finance, holding over 13 million RLP. The net risk exposure is approximately $17 million.

Yes, Stream Finance, which previously suffered a major loss due to xUSD’s collapse, might be hit again.

As of the time of writing, the hacker has converted USR into USDC and USDT, and continues to buy Ethereum, having purchased over 10,000 ETH so far. Using 200,000 USDC, they have liquidated assets worth over $20 million. During the bear market, the hacker found a “hundredfold coin” that belongs to their strategy.

Once again, a lack of rigor led to exploitation

The major crash on October 11 last year caused many stablecoins issued via Delta neutral strategies to suffer collateral losses due to automatic deleveraging (ADL). Projects using altcoins as part of their strategies faced even heavier losses or outright exit.

This time, Resolv Labs also issued USR using a similar mechanism. The project announced in April 2025 that it completed a $10 million seed round led by Cyber.Fund and Maven11, with Coinbase Ventures participating. It launched its token RESOLV in late May or early June.

However, the reason for the attack was not extreme market conditions but rather a flaw in the USR minting mechanism’s design.

Currently, no security firm or official has analyzed the cause of this hack. The DeFi community’s YAM project, through initial analysis, concluded that the attack was likely caused by the hacker gaining control of the SERVICE_ROLE used by the protocol backend to provide parameters for minting.

According to Grok’s analysis, when users mint USR, they initiate a request on-chain, calling the requestMint function with parameters including:

• _depositTokenAddress: the address of the token deposited;

• _amount: the amount deposited;

• _minMintAmount: the minimum expected USR to receive (slippage protection).

Then, users deposit USDC or USDT into the contract. The project’s backend, with control over SERVICE_ROLE, monitors the request, uses the Pyth oracle to check the value of the deposited assets, and then calls completeMint or completeSwap to determine the actual amount of USR to mint.

The problem lies in the fact that the minting contract fully trusts the _mintAmount provided by SERVICE_ROLE, assuming this number has been verified off-chain by Pyth. As a result, there are no upper limits set, and no on-chain oracle verification is performed before executing mint(_mintAmount).

Based on this, YAM suspects that the hacker gained control of the SERVICE_ROLE, which should be controlled by the project team (possibly due to internal oracle malfunction, insider theft, or key compromise). During minting, the hacker set _mintAmount to 50 million, enabling the attack to mint 50 million USR tokens with just 100,000 USDC.

Ultimately, Grok’s conclusion is that Resolv’s protocol design did not consider the possibility that the address (or contract) receiving user mint requests could be controlled by a hacker. When the mint request was submitted to the final minting contract, there was no maximum mint limit, nor was there secondary verification via on-chain oracles. It blindly trusted all parameters provided by SERVICE_ROLE.

Inadequate safeguards

Besides speculating on the cause of the breach, YAM also pointed out that the project’s crisis response was insufficient.

YAM stated on X that Resolv Labs only paused the protocol three hours after the initial attack, with about an hour of delay due to collecting signatures from four signers for multi-sig transactions. YAM believes that an emergency pause should only require a single signature, and permissions should be distributed to team members or trusted external operators. This would improve responsiveness to on-chain anomalies and enable faster halts, especially across different time zones.

While the suggestion to allow a single signature to pause the protocol is somewhat aggressive, requiring multiple signatures across time zones could delay critical responses during emergencies. Introducing trusted third parties that continuously monitor on-chain activity or using tools with emergency pause permissions are lessons from this incident.

The hacker’s attack on DeFi protocols is no longer limited to contract vulnerabilities. The Resolv Labs incident serves as a warning: protocol security assumptions should be that no component can be fully trusted. All parameter-related steps must undergo at least secondary verification, even for backend operations managed by the project itself.