Exchange 200,000 for nearly 100 million, DeFi stablecoin attacked again

Article by: Eric, Foresight News

Around 10:21 AM Beijing time today, Resolv Labs, which issued the stablecoin USR using Delta neutral strategies, was hacked. An address starting with 0x04A2 used 100,000 USDC to mint 50 million USR from the Resolv Labs protocol.

As the incident came to light, USR dropped to around $0.25, then recovered to about $0.8 by the time of writing. The RESOLV token price also briefly fell nearly 10%.

Subsequently, the hacker repeated the process, again using 100,000 USDC to mint 30 million USR. With USR significantly de-pegged, arbitrage traders quickly acted. Many lending markets supporting USR, wstUSR, and other collateral on Morpho have been almost drained, and Lista DAO on BNB Chain has paused new borrowing requests.

The impact extends beyond these lending protocols. In Resolv Labs’ design, users can also mint a token called RLP, which has higher volatility and yields but requires bearing compensation responsibilities if the protocol incurs losses. Currently, RLP has a circulating supply of nearly 30 million, with the largest holder, Stream Finance, holding over 13 million RLP, exposing a net risk of about $17 million.

Yes, Stream Finance, which previously suffered a major loss due to xUSD’s collapse, might face another blow.

As of now, the hacker has converted USR into USDC and USDT and continues to buy Ethereum, having purchased over 10,000 ETH. Using 200,000 USDC, they have liquidated assets worth over $20 million. During the bear market, the hacker found a “hundredfold coin” that belongs to TA.

Another Exploit Due to “Lack of Rigor”

The sharp decline on October 11 last year caused many stablecoins issued via Delta neutral strategies to suffer collateral losses due to ADL (automatic deleveraging). Projects using altcoins as collateral faced even heavier losses or outright exit scams.

This time, Resolv Labs also used a similar mechanism to issue USR. The project announced in April 2025 that it completed a $10 million seed round led by Cyber.Fund and Maven11, with Coinbase Ventures participating. It launched the RESOLV token in late May or early June.

However, the reason Resolv Labs was attacked was not due to extreme market conditions but because the mechanism for minting USR was “not sufficiently rigorous.”

Currently, no security firm or official has analyzed the cause of this hack. The DeFi community YAM, through preliminary analysis, concluded that the attack was likely caused by the hacker gaining control of the SERVICE_ROLE used by the protocol backend to provide parameters for minting.

According to Grok’s analysis, when users mint USR, they initiate a request on-chain and call the contract’s requestMint function, with parameters including:

• _depositTokenAddress: the address of the token deposited;

• _amount: the deposit amount;

• _minMintAmount: the minimum expected USR to receive (slippage protection).

Then, users deposit USDC or USDT into the contract. The project’s backend, with the SERVICE_ROLE, monitors the request, uses the Pyth oracle to check the value of the deposited assets, and then calls completeMint or completeSwap to determine the actual amount of USR to mint.

The problem lies in the fact that the minting contract fully trusts the _mintAmount provided by SERVICE_ROLE, assuming this number has been verified off-chain by Pyth. As a result, no upper limit was set, and no on-chain oracle verification was performed, leading to the execution of mint(_mintAmount) directly.

Based on this, YAM suspects that the hacker gained control of the SERVICE_ROLE, which should have been controlled by the project team—possibly due to an internal oracle malfunction, insider theft, or key compromise—and set _mintAmount to 50 million, enabling the attack where 100,000 USDC was used to mint 50 million USR.

Ultimately, Grok’s conclusion is that Resolv’s protocol design did not consider the possibility that the address (or contract) receiving user mint requests could be controlled by a hacker. When the mint request was submitted to the final minting contract, no maximum mint limit was set, and no secondary verification with on-chain oracles was performed. It blindly trusted all parameters provided by SERVICE_ROLE.

Prevention Measures Also Lacked

Besides speculating on the cause of the breach, YAM pointed out that the project’s crisis response preparedness was insufficient.

YAM stated on X that Resolv Labs only paused the protocol three hours after the initial attack, with about an hour of delay due to collecting signatures from four signers for multi-sig transactions. YAM believes that emergency pause should only require a single signature, and permissions should be distributed to team members or trusted external operators. This would improve responsiveness to on-chain anomalies and enable faster halts, especially considering different time zones.

While the suggestion to allow a single signature to pause the protocol is somewhat aggressive, requiring multiple signatures across time zones could delay critical responses during emergencies. Introducing trusted third parties that continuously monitor on-chain activity or using emergency pause tools with monitoring capabilities are lessons from this incident.

The hacker’s attack on DeFi protocols is no longer limited to contract vulnerabilities. The Resolv Labs incident serves as a warning: in protocol security, assumptions should be that no component can be fully trusted. All parameter-related steps must undergo at least secondary verification, even for backend operations managed by the project itself.