The Resolv hack: How one compromised key printed $23M

On March 22, 2026, the Resolv DeFi protocol became the latest example of how quickly things can unravel in DeFi when security assumptions fail. In a matter of minutes, an attacker was able to mint tens of millions of Resolv’s unbacked stablecoins (USR) and extract roughly $23 million in value, triggering a sharp de-peg and forcing the protocol to halt operations.

At first glance, this might look like another smart contract exploit. But it wasn’t. The code worked exactly as intended.

Instead, it was a case of overly trusting off-chain infrastructure. As DeFi systems become more complex and use more external services, privileged keys, and cloud infrastructure, the attack surface expands far beyond the blockchain itself.

What happened, in a nutshell

The attacker started by depositing a relatively small amount (around $100K–$200K in USDC) and used it to interact with Resolv’s USR stablecoin minting system. Normally, users deposit USDC and receive an equivalent amount of USR in return. However, in this case, the attacker was able to mint around 80 million USR tokens, far beyond what their deposit should have allowed.

This was possible because minting approvals depended on an off-chain service that used a privileged private key to sign off on how much USR could be created. Unfortunately, the smart contract itself did not enforce any maximum limit on minting – it only checked that a valid signature existed.

After minting the unbacked USR, the attacker quickly converted it into a staked version (wstUSR), then gradually swapped it into other stablecoins and eventually into ETH. By the end of the attack, they had extracted approximately $25 million in ETH. The sudden flood of unbacked USR into the market also caused the token’s price to drop by around 80%.

How Resolv’s token minting is supposed to work

Understanding how this attack happened requires first understanding Resolv’s minting design.

When a user wants to mint Resolv’s native token, USR, they don’t interact with an autonomous on-chain mechanism. Instead, they go through a two-step off-chain process:

1. requestSwap – The user deposits USDC into the USR Counter contract and submits a minting request.
2. completeSwap – An off-chain service, controlled by a privileged private key called the SERVICE_ROLE, reviews the request and calls back to the contract to finalize how much USR to mint.

The contract enforces a minimum USR output – but critically, no maximum. There is no on-chain ratio check between the collateral deposited and the USR to be minted. No price oracle. No cap. No maximum mint ratio. So, whatever the key holder signs will get minted.

A step by step breakdown of the attack

Step 1. Gaining Access to Resolv’s AWS KMS Environment

The attacker compromised Resolv’s cloud infrastructure to gain access to Resolv’s AWS Key Management Service (KMS) environment where the protocol’s privileged signing key was stored. With control over the KMS environment, the attacker could use Resolv’s own minting key to authorize any minting operation they chose.

Step 2. Minting the USR Tokens

Armed with the signing key, the attacker made two swap requests, each funded with a modest USDC deposit. The SERVICE_ROLE key was then used to call completeSwap with inflated output amounts, authorizing tens of millions of USR in exchange for the USDC deposits.

In total, 80 million USR tokens were minted, approximately $25 million.

Step 3. Bypassing Liquidity with wstUSR

The attacker then converted USR into wstUSR (wrapped staked USR). By staking into wstUSR, the attacker moved their position into a less liquid but more fungible derivative to maximize extraction without immediately tanking the market further.

Step 4. Cashing Out

From wstUSR, the attacker swapped into stablecoins, then into ETH, rotating through multiple DEX pools and bridges to maximize their extraction and obscure the trail.

Impact and Security Lessons

The consequences for USR holders were immediate and severe. As the supply flooded the markets, USR’s dollar peg collapsed, dropping as low as $0.20 (an 80% collapse).

Following the attack, Resolv Labs suspended all protocol functions to prevent further damage and began investigating the breach.

The hack on Resolv is a story about how DeFi protocols inherit the security assumptions, and the vulnerabilities, of the off-chain infrastructure they depend on. The on-chain smart contract worked perfectly; the broader system design and off-chain infrastructure did not.

Real-time monitoring and automated response mechanisms are now a necessity, as exploits unfold in minutes, leaving no time for reactive measures once the damage is visible.