Resolv Labs’ USR Stablecoin Loses Dollar Peg After Contract Exploit
An attacker exploited a flaw in the USR token contract, minting tens of millions of unbacked tokens, triggering a sharp de‑peg and a rapid cash‑out across DeFi platforms.
What happened
On Sunday, the team behind the Resolv Labs ecosystem announced that its USR stablecoin had been compromised. According to a post on the project’s official X account, an adversary managed to mint 50 million USR tokens by depositing roughly $100 000 worth of USDC into the contract. Subsequent on‑chain investigations by security firm PeckShield revealed a second minting event that created an additional 30 million USR.
The combined 80 million newly‑issued tokens were not backed by any collateral, effectively flooding the market with unbacked supply. In response, Resolv Labs immediately halted all protocol functions to prevent further abuse and began working on a remediation plan.
How the attacker cashed out
Analysis from the crypto‑research fund D2 Finance shows that the malicious actor quickly transferred the freshly minted USR to several DeFi protocols. The tokens were swapped for other stablecoins—USDC and USDT—before being converted to Ether (ETH) in a series of high‑velocity trades. The exit strategy matched a textbook DeFi hack playbook, with the attacker prioritising speed to avoid slippage and liquidity constraints.
During the liquidation, USR prices on the most liquid Curve Finance pool briefly plunged to as low as 2.5 ¢ per token—roughly a 98 % discount to the intended $1 peg. Within minutes, the price rebounded to around 84–87 ¢ as liquidity providers and arbitrage bots stepped in. D2 Finance estimates that the attacker extracted roughly $25 million from the operation.
Technical observations
D2 Finance’s on‑chain forensics point to a broken minting function in the USR contract. Possible failure points include:
- Manipulation of the price oracle that validates collateral value.
- Compromise of an off‑chain signer responsible for authorising mint requests.
- Absence of proper validation checks that compare the amount requested with the amount actually deposited.
The exact cause has not yet been confirmed by Resolv Labs, which is conducting a post‑mortem.
Market context
The exploit arrives amid a notable decline in crypto‑related hacks. February saw a dip to $49 million in total losses, down from $385 million recorded in January, with attackers shifting toward phishing and social‑engineering attacks rather than direct protocol exploits. Nevertheless, the USR incident underscores that smart‑contract vulnerabilities continue to pose a significant risk, especially for algorithmic stablecoins that rely on precise collateral‑to‑token ratios.
Key takeaways
- Contract integrity is paramount – even a single unchecked minting pathway can generate millions of unsecured tokens, instantly destabilising a stablecoin’s peg.
- Rapid response matters – Resolv Labs’ swift pause of protocol functions likely limited further damage, but the incident still resulted in a multi‑million‑dollar loss.
- Liquidity can be volatile – the Curve pool’s price crash to 2.5 ¢ illustrates how quickly market depth can evaporate under a massive, unbacked supply shock.
- DeFi exit strategies remain sophisticated – attackers are leveraging multiple swaps and bridges to convert illicit gains, making real‑time monitoring essential for risk‑mitigation teams.
- Oracles and off‑chain signers require hardened security – any weakness in price feeds or authorisation mechanisms can be weaponised to bypass collateral checks.
Resolv Labs has pledged to audit the contract, restore proper minting safeguards, and explore compensation mechanisms for affected USR holders. The incident serves as a reminder that the stability of algorithmic and collateral‑backed stablecoins hinges on flawless code execution and robust governance safeguards.
Source: https://cointelegraph.com/news/resolv-labs-stablecoin-depegs-attacker-mints-millions-of-tokens?utm_source=rss_feed&utm_medium=feed&utm_campaign=rss_partner_inbound
