Exchanged 200,000 for nearly 100 million, DeFi stablecoins are under attack again.

Written by: Eric, Foresight News

Around 10:21 AM Beijing time today, Resolv Labs, which issues the stablecoin USR using a delta neutral strategy, was hacked. An address starting with 0x04A2 minted 50 million USR from the Resolv Labs protocol using 100,000 USDC.

As the incident came to light, USR plummeted to around $0.25, and as of the time of writing, it has rebounded to about $0.80. The price of the RESOLV token briefly saw a decline of nearly 10%.

After that, the hacker repeated the method and minted 30 million USR using another 100,000 USDC. Following the significant de-pegging of USR, arbitrage traders also acted quickly, and many lending markets on Morpho that supported USR, wstUSR, and other collateral types were nearly emptied, leading Lista DAO on the BNB Chain to suspend new loan requests.

The impact was not limited to these lending protocols. In Resolv Labs’ protocol design, users could also mint a more volatile RLP token, which offers higher yields but requires compensation when the protocol incurs losses. Currently, the circulating supply of RLP tokens is nearly 30 million, with the largest holder, Stream Finance, holding over 13 million RLP, resulting in a net risk exposure of about $17 million.

Indeed, Stream Finance, which previously faced a crisis due to xUSD, may be hit again.

As of the time of writing, the hacker has converted USR to USDC and USDT and has been continuously buying Ethereum, having already purchased over 10,000. They extracted over $20 million in assets using 200,000 USDC, finding their own “hundredfold coin” during the bear market.

Another Gap Due to “Lack of Rigorousness”

The crash on October 11 last year caused many stablecoins issued using delta neutral strategies to suffer collateral losses due to ADL (automatic deleveraging). Some projects that executed strategies based on altcoins faced even more severe losses or went directly bankrupt.

The attacked Resolv Labs also issued USR using a similar mechanism. The project announced in April 2025 that it had completed a $10 million seed round led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, and launched the RESOLV token in late May to early June.

However, the reason for Resolv Labs being attacked was not due to extreme market conditions, but rather because the design of the USR minting mechanism was “not rigorous enough.”

As of now, no security firm or official has analyzed the reasons behind this hacker incident. The DeFi community YAM has concluded through analysis that the attack was likely due to the SERVICE_ROLE used by the protocol backend to provide parameters for the minting contract being controlled by the hacker.

According to Grok’s analysis, when users mint USR, they initiate a request on-chain and call the contract’s requestMint function, with parameters including:

_depositTokenAddress: the address of the deposited token;

_amount: the amount deposited;

_minMintAmount: the minimum expected amount of USR to receive (to prevent slippage).

Subsequently, users deposit USDC or USDT into the contract, and the project’s backend SERVICE_ROLE monitors the request, checks the value of the deposited assets using the Pyth oracle, and then calls the completeMint or completeSwap function to decide the actual amount of USR to mint.

The problem lies in the fact that the minting contract fully trusts the _mintAmount provided by the SERVICE_ROLE, assuming that this number has been verified off-chain by Pyth. Thus, no upper limit was set, and no on-chain oracle verification was performed, directly executing mint(_mintAmount).

Accordingly, YAM suspects that the hacker controlled the SERVICE_ROLE that should have been managed by the project team (possibly due to an internal oracle failure, collusion, or key theft) and directly set the _mintAmount to 50 million during the minting process, executing the attack of minting 50 million USR with 100,000 USDC.

Ultimately, Grok concluded that Resolv did not consider the possibility that the address (or contract) used to receive user minting requests could be controlled by hackers when designing the protocol. There were no maximum minting limits set when submitting requests to the contract that ultimately mints USR, nor was there any on-chain oracle verification for the minting contract, which directly trusted all parameters provided by the SERVICE_ROLE.

Prevention Measures Were Also Inadequate

In addition to speculating on the reasons for the hack, YAM also pointed out the project’s insufficient preparation in crisis response.

YAM stated on X that Resolv Labs paused the protocol only 3 hours after the hacker’s first attack, with about 1 hour of that delay attributed to the need for 4 signatures for a multi-signature transaction. YAM believes that emergency pauses should only require one signature, and the authority should be allocated as much as possible to team members or trusted external operators. This would increase attention to on-chain anomalies, improve the likelihood of a quick pause, and better cover different time zones.

Although the suggestion that only a single signature is needed to pause the protocol may seem radical, requiring multiple signatures across different time zones to pause the protocol could indeed delay critical actions in emergencies. Introducing trusted third parties that continuously monitor on-chain behavior or utilizing monitoring tools with emergency pause protocol privileges are lessons learned from this incident.

Hacker attacks on DeFi protocols have long since extended beyond contract vulnerabilities; the incident with Resolv Labs serves as a warning to project teams that assumptions about protocol security cannot trust any part of the process. All parameters involved must undergo at least double verification, even for backend operations managed by the project team themselves.