Exchanged 200,000 for nearly 100 million, DeFi stablecoins are under attack again.

Written by: Eric, Foresight News

Around 10:21 AM Beijing time today, Resolv Labs, which issues the stablecoin USR using a Delta neutral strategy, was hacked. An address starting with 0x04A2 minted 50 million USR from the Resolv Labs protocol using 100,000 USDC.

As the incident came to light, USR dropped to around $0.25, recovering to about $0.80 at the time of writing. The RESOLV token price experienced a temporary drop of nearly 10%.

Subsequently, the hacker replicated the method and minted 30 million USR using another 100,000 USDC. With the significant de-pegging of USR, arbitrage traders acted quickly, and many lending markets on Morpho that supported USR, wstUSR, and other collateral types were nearly depleted. Lista DAO on the BNB Chain also suspended new loan requests.

The impact is not limited to these lending protocols. In the design of the Resolv Labs protocol, users can also mint an RLP token, which has greater price volatility and higher yields but requires compensation if the protocol incurs losses. Currently, nearly 30 million RLP tokens are in circulation, with the largest holder, Stream Finance, holding over 13 million RLP, with a net risk exposure of approximately $17 million.

Indeed, Stream Finance, which previously suffered from the xUSD incident, may be hit again.

As of the time of writing, the hacker has converted USR into USDC and USDT and continues to buy Ethereum, having acquired over 10,000 ETH. They have extracted over $20 million in assets using 200,000 USDC, finding their “hundredfold coin” during the bear market.

Once Again Exploited Due to “Lack of Rigor”

The market crash on October 11 last year caused many stablecoins issued using Delta neutral strategies to suffer collateral losses due to ADL (automatic deleveraging). Some projects using altcoins as execution strategies faced even more severe losses or went directly bankrupt.

The attacked Resolv Labs also issued USR using a similar mechanism. The project announced in April 2025 that it had completed a $10 million seed round led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, and launched the RESOLV token at the end of May and early June.

However, the reason Resolv Labs was attacked was not due to extreme market conditions, but rather the “lack of rigor” in the design of the USR minting mechanism.

So far, no security firm or official has analyzed the cause of this hacking incident. The DeFi community YAM concluded through analysis that the attack was likely due to the SERVICE_ROLE, which provides parameters for the minting contract in the protocol backend, being compromised by the hacker.

According to Grok’s analysis, when users mint USR, they initiate a request on-chain and call the contract’s requestMint function, with parameters including:

_depositTokenAddress: the address of the deposited token;

_amount: the deposit amount;

_minMintAmount: the minimum expected amount of USR to receive (to prevent slippage).

Afterward, users deposit USDC or USDT into the contract, and the project’s backend SERVICE_ROLE monitors the request, uses the Pyth oracle to check the value of the deposited assets, and then calls the completeMint or completeSwap function to determine the actual minted amount of USR.

The problem lies in the minting contract’s complete trust in the _mintAmount provided by the SERVICE_ROLE, believing that this number has been verified off-chain by Pyth. Therefore, no upper limit was set, and there was no on-chain oracle verification, directly executing mint(_mintAmount).

As such, YAM suspects that the hacker controlled the SERVICE_ROLE, which should have been controlled by the project team (possibly due to internal oracle failure, collusion, or key theft), and set _mintAmount directly to 50 million during minting, achieving the attack of minting 50 million USR with 100,000 USDC.

Ultimately, Grok concluded that Resolv did not consider the possibility that the address (or contract) receiving user minting requests could be controlled by hackers when designing the protocol, and did not set a maximum mint amount when submitting minting requests to the contract that finally mints USR, nor did it allow the minting contract to perform a secondary verification using an on-chain oracle, directly trusting all parameters provided by the SERVICE_ROLE.

Prevention Measures Were Also Lacking

In addition to speculating on the reasons for the hack, YAM also pointed out the project’s insufficient preparedness in responding to crises.

YAM stated on X that Resolv Labs paused the protocol only three hours after the hacker’s initial attack, with about one hour of that delay stemming from the collection of the four signatures required for a multisig transaction. YAM believes that an emergency pause should only require one signature and that permissions should be allocated as much as possible to team members or trusted external operators, which would enhance the attention to on-chain anomalies, increase the likelihood of a rapid pause, and better cover different time zones.

While the suggestion of requiring only a single signature to pause the protocol is somewhat radical, needing multiple signatures across different time zones to pause the protocol could indeed delay critical matters in an emergency situation. Introducing reliable third parties to continuously monitor on-chain behavior, or using monitoring tools with emergency pause protocol permissions, are lessons learned from this incident.

Hacker attacks on DeFi protocols have long gone beyond contract vulnerabilities; the warning for project teams from the Resolv Labs incident is that assumptions about protocol security should not trust any single link, and all aspects involving parameters must undergo at least secondary verification, including the backend operated by the project team itself.