Resolv Hacker Attack: How a Single Key Leak Led to $23 Million in Illegal Minting

As DeFi systems become increasingly complex and rely more heavily on external services, privileged keys, and cloud infrastructure.

Article: Chainalysis

Translation: AididiaoJP, Foresight News

On March 22, 2026, the Resolv DeFi protocol became the latest example demonstrating how quickly the DeFi space can spiral into crisis when security assumptions fail. Within just a few minutes, an attacker minted tens of millions of USR stablecoins without collateral backing and extracted approximately $25 million worth of value, causing the USR price to sharply decouple, and forcing the protocol to halt operations.

At first glance, this appears to be another smart contract vulnerability incident. However, that is not the case. The way the relevant code operates is fully consistent with its design.

In reality, this was an incident caused by over-trusting off-chain infrastructure. As DeFi systems grow more complex and increasingly depend on external services, privileged keys, and cloud infrastructure, their attack surface has far exceeded the scope of the blockchain itself.

This article will review the sequence of events and their impact, and further explore: when off-chain components are compromised, only real-time on-chain threat detection and response mechanisms can serve as a critical last line of defense, making a fundamental difference between controlled incidents and exploits that cause millions of dollars in losses.

Event Summary

The attacker first deposited a small amount of funds (about $100,000 to $200,000 USDC) and used this to interact with Resolv’s USR minting system. Under normal circumstances, depositing USDC would result in receiving an equivalent amount of USR. However, in this incident, the attacker successfully minted about 80 million USR tokens, far exceeding the reasonable amount supported by their deposit.

This happened because the mint approval process relied on an off-chain service that used a privileged private key to authorize USR minting amounts. The smart contract itself did not impose any limit on the minting quantity — it only verified the validity of the signature.

After minting the uncollateralized USR, the attacker quickly converted it into the staked version wstUSR, then gradually exchanged it for other stablecoins, and finally withdrew as ETH. By the end of the attack, the attacker had profited about $25 million worth of ETH. A large influx of uncollateralized USR flooded the market, causing its price to plummet by about 80%.

Once the outcome was clear, the following analysis will detail how the design flaws in the minting process enabled this attack.

Normal Resolv Token Minting Process

To understand the cause of this attack, it’s essential to grasp Resolv’s minting mechanism design.

When a user wants to mint Resolv’s native token USR, the interaction is not with a fully autonomous on-chain process but involves a two-step off-chain process:

requestSwap — The user deposits USDC into the USR Counter contract and initiates a mint request.

completeSwap — An off-chain service controlled by a privileged key (SERVICE_ROLE) reviews the request and, via a callback to the contract, determines the final USR minting amount.

On the contract level, only a minimum USR output is specified, with no upper limit. There are no on-chain checks for the ratio between collateral deposited and USR minted, nor integration of price oracles, total supply caps, or maximum minting ratios. In other words, any amount signed by this privileged key can be executed for minting.

Attack Steps in Detail

Step 1: Gaining access to Resolv’s AWS KMS environment

The attacker compromised Resolv’s cloud infrastructure, gaining access to the AWS Key Management Service environment used by Resolv, which stored the protocol’s privileged signing keys. With control over the KMS environment, the attacker could use Resolv’s own minting keys to authorize arbitrary minting operations.

Step 2: Minting USR tokens

After obtaining the signing keys, the attacker initiated two swap requests, each supported by a small USDC deposit (totaling about $100,000 to $200,000), spread across multiple transactions. Then, the attacker used the SERVICE_ROLE key to call completeSwap, filling in inflated output amounts, thereby minting tens of millions of USR with only a small USDC deposit.

On-chain, two major transactions were identified:

• 50 million USR minting transaction
• 30 million USR minting transaction

These combined minted 80 million USR tokens, worth approximately $25 million.

Step 3: Circumventing liquidity constraints via wstUSR

The attacker then converted USR into wstUSR, a derivative token representing staked pool shares, whose value is not fixed to USR. By converting to wstUSR, they avoided directly impacting the USR market, shifting their position into a less liquid but more interchangeable asset form.

Step 4: Cashing out and exiting

Based on wstUSR holdings, the attacker further exchanged into stablecoins, then into ETH, and used multiple decentralized exchanges and cross-chain bridges to transfer funds, maximizing withdrawal amounts and complicating tracking.

As of writing, the attacker’s address still holds:

• About 11,400 ETH (worth around $24 million)
• About 20 million wstUSR (valued at roughly $130,000 after decoupling)

Impact on USR Holders

This incident caused severe direct harm to USR holders.

The newly minted 80 million uncollateralized USR tokens entered liquidity pools on decentralized exchanges. As supply surged, the peg of USR to USD collapsed rapidly. The token briefly fell to $0.20, an 80% drop, then recovered somewhat over hours to about $0.56.

Following the incident, Resolv Labs issued a statement suspending all protocol functions to prevent further losses and began investigating the breach. Given that the attacker was still attempting to mint more USR, prompt action to prevent further damage was critical, highlighting the importance of rapid response to such attacks.

A Sound Security Philosophy: Assume Vulnerabilities Will Occur

Despite Resolv implementing all standard security measures and completing up to 18 security audits, this attack fundamentally boils down to a simple story: the attacker obtained a key, used it to mint assets illegally, and liquidated those assets before detection.

However, deeper analysis reveals how DeFi protocols inherit security assumptions and risks from their reliance on off-chain infrastructure. The on-chain smart contracts operated exactly as designed, but the overall system design and the compromised off-chain infrastructure failed to meet necessary security standards.

In an environment where exploits can be completed within minutes and losses become apparent almost immediately, real-time monitoring and automated response mechanisms are no longer optional but essential safeguards.

Hexagate Prevention Case Study

The Resolv attack underscores the importance of real-time on-chain monitoring for detection. If Chainalysis Hexagate had been in place, the following two detection methods could have been effective:

Method 1: Monitoring abnormal minting events

By configuring Hexagate or similar monitoring systems, one could track calls to the completeSwap function, focusing on detecting cases where the USR minting amount is disproportionately large compared to the collateral deposited.

For example, a deposit of $100,000 USDC resulting in a mint of 50 million USR is an abnormal ratio far beyond normal user operations. Setting alert rules—such as triggering an alarm when the minting ratio exceeds 1.5 times the normal—could have flagged these two major transactions immediately.

Hexagate’s custom monitoring could have automatically responded upon detecting such abnormal minting behavior, triggering an automated contract pause.

Method 2: Combining GateSigner with custom controls for key contract events

Since the attacker had to perform both requestSwap and completeSwap steps, each generating on-chain events, Hexagate’s GateSigner feature combined with event monitoring could have been configured to automatically pause the contract upon detecting suspicious mint events, preventing any USR from entering the open market before further damage occurred.