I just learned about a pretty serious hack of the stablecoin Resolv. After the attacker discovered a vulnerability in the minting contract, they created 80 million fake USR tokens and withdrew about $25 million worth of ETH. The price dropped from $1 to 2.5 cents in 17 minutes, then slightly recovered to 27 cents – a 72% decline over a week.

Interestingly, the team initially called it a key compromise, but analysts identified the real issue – structural flaws. The SERVICE_ROLE, a privileged minting account, was controlled by a single key without multi-signature. The contract lacked oracle checks, validation of sums, and maximum limits. The attacker deposited 100,000 USDC and received 50 million USR – 500 times more than they should have. The system did not verify anything.

After this incident, experts say that such single-key configurations are a classic target for both internal and external threats. It’s not a new phenomenon, but it highlights how important it is to pay attention to privileged accounts, which often remain off the security team's radar. Resolv stated that they are working with law enforcement and blockchain analytics firms to recover the assets. The project's TVL was $684 million in February, but before the hack, it had fallen to $95 million.