An attacker exploited a critical access control flaw in the Resolv protocol early Sunday morning, minting 80 million unbacked USR tokens with as little as $100,000 to $200,000 in deposited collateral and extracting an estimated $23 million to $25 million before the team could respond. (The Block reported approximately $25 million; other outlets, including CoinSpectator, cited $23 million.) The breach sent USR, a dollar-pegged stablecoin backed by ETH, crashing 97.5% to $0.025 on Curve Finance within 17 minutes of the first transaction. Resolv Labs subsequently paused all protocol functions. The protocol had held more than $500 million in total value locked prior to the incident.

How the Attack Worked

Resolv issues USR through a delta-neutral strategy: users deposit ETH as collateral, and the protocol hedges that exposure using short perpetual futures positions, allowing it to maintain a stable $1 value per token without holding fiat reserves. A secondary token, RLP (Resolv Liquidity Pool token), acts as a risk-absorbing buffer, protecting USR holders from market volatility and hedging losses.

The attacker did not target the collateral itself. Instead, they exploited the protocol's minting mechanism through a "service role," a privileged function that authorized the creation of new USR tokens. Security researchers confirmed that this role was controlled by a single externally owned account (EOA), meaning a standard private key with no additional safeguards, rather than a multisig wallet requiring multiple signatories to approve transactions. The role also had no maximum mint cap and no oracle price validation to verify that new tokens corresponded to real collateral.

The attacker used Resolv's requestSwap function, depositing roughly 100,000 USDC and receiving approximately 49.95 million USR in return, a 500-to-1 discrepancy against deposited value. A second transaction added another 30 million USR. PeckShield, a blockchain security firm, confirmed the 80-million-token supply shock on-chain.

Exit and Aftermath

With 80 million artificially minted tokens in hand, the attacker moved quickly. Proceeds were dumped across KyberSwap and Velora, converting into more than $17 million in USDC and USDT, with roughly 9,100 ETH (approximately $4.55 million at current prices) also extracted. The total haul across both stablecoins and ETH is estimated at around $25 million. The attack window ran from approximately 2:21 AM to 2:38 AM UTC.

Resolv Labs confirmed the breach in a statement posted to X: "The team has currently paused all the protocol functions to prevent further malicious actions and is actively working on recovery." The team also said that no underlying collateral assets were lost and that the breach was confined to the USR issuance mechanism. As of the time of reporting, USR had partially recovered to approximately $0.85 to $0.87, still 13 to 15 percent below its dollar peg. The USR/USDC pool on Curve Finance recorded $3.6 million in 24-hour trading volume.

Analysts at D2 Finance outlined three possible explanations: the protocol's oracle was manipulated, the off-chain signing key was compromised, or the system simply lacked validation to ensure that the amount requested and the amount completed in a swap were consistent. "Either the oracle was gamed, the off-chain signer was compromised, or the amount validation between request and completion is simply missing," the firm said, according to reporting by CoinTelegraph.

A Familiar Vulnerability Pattern

The access control flaw at the center of this attack is not new to DeFi. Between January and June 2025, leakage of administrative privileges caused an estimated $48 million in losses across five major protocols, according to security firm Hacken and analysis published by BeInCrypto. Security firms including Hacken and Halborn have consistently warned that privileged operations controlled by a single private key represent an unacceptable risk in production systems. According to security analysts at firms including Hacken, the emerging consensus from the security community is direct: minting authority and upgrade functions should require multisig approval, and sensitive operations should pass through timelocks that allow time for intervention if something goes wrong.

Regional Stakes

For users across South Asia and Africa, this incident carries direct financial weight. India ranks first, Nigeria second, and Pakistan eighth in the 2026 Global Crypto Adoption Index. Stablecoin-driven crypto volumes in South Asia grew 80 percent to $300 billion in the first half of 2025 alone. In Pakistan, stablecoins function as key inflation hedges and remittance vehicles. In Nigeria, stablecoin transactions totaled $22 billion between July 2023 and June 2024, and stablecoins now account for 43 percent of all crypto transaction volume across Sub-Saharan Africa, where year-over-year growth reached 180 percent. Ethiopia (ranked tenth), Kenya (thirteenth), and Ghana (twentieth) also appear in the top 20 of the 2026 Global Crypto Adoption Index, reflecting the breadth of stablecoin adoption across the continent.

For many users in these markets, dollar-pegged tokens are not primarily speculative instruments. They serve as inflation hedges, remittance rails, and business settlement tools in economies where local currencies face sustained depreciation pressure. A 97.5% depeg, even a temporary one, can represent a genuine financial emergency for a merchant settling invoices or a freelancer holding savings in a stablecoin.

What Comes Next

As of publication, Resolv Labs had not yet published a detailed post-mortem or outlined a timeline for resuming protocol operations. Whether RLP holders, whose tokens are designed to absorb protocol losses as a risk-bearing buffer, will see that mechanism activated to compensate affected users remains unclear. Regulators in Nigeria, India, and other high-adoption markets have been debating appropriate oversight frameworks for synthetic and algorithmic stablecoins, and this incident is likely to intensify that conversation. For developers building or integrating stablecoin infrastructure across these regions, the key technical lesson is clear: a completed smart contract audit is not, on its own, a substitute for sound access control design. Resolv had reportedly undergone smart contract audits, though the exploited minting mechanism apparently fell outside their scope, according to analysts familiar with the incident.