Resolv Labs Confirmed a $25M Exploit That Minted 80 Million Unbacked USR Tokens and Broke the Dollar Peg

A stablecoin that was trading at $1 fell to fractions of a cent in some pools. The mechanism behind it is worth understanding precisely.

How the Attack Worked

Resolv Labs confirmed a security exploit targeting the minting function of its USR stablecoin contract. The attack was executed in two stages. In the first, an attacker used approximately $100,000 worth of USDC to mint 50 million USR tokens through the protocol’s requestSwap and completeSwap functions, a ratio of roughly 500 to 1 between capital deployed and tokens generated. Security firm PeckShield identified a second transaction shortly after in which the attacker minted an additional 30 million USR, bringing the total unauthorized issuance to 80 million tokens.

Analysts from D2 Finance identified three potential vectors for the breach: a compromised oracle feeding incorrect price data into the minting function, a leaked off-chain signer whose credentials authorized the minting without legitimate backing, or a critical absence of amount validation during the minting process itself. Any of the three would have allowed the attacker to bypass the controls that should have prevented unbacked issuance at that scale. The investigation is ongoing and no single cause has been confirmed publicly.

The Depeg and What It Cost

The consequences of injecting 80 million unbacked tokens into USR’s liquidity infrastructure were immediate. USR fell from its $1.00 peg, trading as low as $0.257 on some platforms. In the USR/USDC pool on Curve Finance, where concentrated liquidity amplifies price impact, the token dropped to approximately $0.025 due to severe slippage as the attacker swapped the minted tokens into legitimate stablecoins.

The attacker successfully extracted at least $25 million by swapping the minted USR for USDC and USDT before converting that into approximately 11,422 ETH. The $100,000 in USDC used to initiate the exploit generated a return of at least $25 million, a 250x return on the capital deployed to execute the attack.

Resolv Labs stated that the protocol’s original collateral assets remained sufficient and were not directly stolen in the exploit. The damage came not from taking what was there but from creating what should not have been there and converting it into real value before the protocol could respond.

The Protocol Response and Market Fallout

Resolv Labs paused all protocol functions immediately after confirming the breach, halting further minting and limiting additional damage. The team stated it is investigating the exploit and attempting to recover the extracted funds, though recovery of funds converted into ETH and moved through DeFi infrastructure is historically difficult.

The fallout extended beyond Resolv’s own protocol. Euler Labs disabled USR and RLP collateral functionality across its platform. Venus Protocol suspended USR trading entirely to protect users from exposure to a depegged asset. Those responses reflect the interconnected nature of DeFi collateral infrastructure, where a stablecoin exploit in one protocol creates immediate risk for every protocol that accepted that stablecoin as collateral or a trading pair.

The exploit follows a pattern that has appeared repeatedly in DeFi security incidents. The vulnerability was not in the asset’s underlying collateral but in the contract logic governing how new tokens are issued. When minting functions lack sufficient validation, the backing requirement that gives a stablecoin its value can be bypassed entirely without touching the underlying reserves. The $100,000 entry cost and $25 million exit confirm how asymmetric that vulnerability can be when it goes undetected.

The post Resolv Labs Confirmed a $25M Exploit That Minted 80 Million Unbacked USR Tokens and Broke the Dollar Peg appeared first on ETHNews.