Resolv Labs Attacked, DeFi Projects Once Again Exploited

Resolv Labs, the issuer of the stablecoin USR using a Delta-neutral strategy, was hacked. An address starting with 0x04A2 created 50 million USR from the Resolv Labs protocol using 100,000 USDC.
After the incident was exposed, the USR price immediately dropped to around $0.25 before recovering to about $0.80 at the time of writing. The RESOLV token price also fell nearly 10% in a short period.

Subsequently, the hacker used a similar method to generate 30 million USR with 100,000 USDC. As USR’s value plummeted, arbitrage traders quickly acted, and many lending markets on Morpho supporting USR, wstUSR, and other collateral assets were nearly drained. Lista DAO on the BNB chain also paused new loan requests.

These lending protocols are not the only ones affected. Resolv Labs also allows users to create RLP tokens, which introduce greater price volatility and higher profits but also impose legal liabilities for losses incurred from the protocol. Currently, nearly 30 million RLP tokens are in circulation, with Stream Finance holding over 13 million tokens, representing a net risk of about $17 million.
Yes, Stream Finance, the company that suffered significant losses from xUSD, may soon face another shock.
As of this writing, the hacker has converted USR into USDC and USDT and continued buying Ethereum, acquiring over 10,000 ETH. Using 200,000 USDC, the hacker has recovered over $20 million in assets, finding their “100x profitable coin” in the bear market.
Once again, an exploit was possible due to “lack of robustness.”

The sharp decline on October 11 last year caused many Delta-neutral stablecoins to suffer collateral losses due to ADL (Automatic Deleveraging). Some projects using altcoins as collateral experienced even larger losses, with some disappearing entirely.

Resolv Labs, the project that was hacked this time, also used a similar mechanism to issue USR. The project announced in April 2025 that they had completed a seed round of $10 million led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, and launched the RESOLV token in late May and early June.

However, the reason Resolv Labs was hacked was not due to harsh market conditions but because the USR creation mechanism was “not sufficiently robust.”

No security firm or official agency has yet analyzed the cause of this cyberattack. A preliminary analysis by DeFi community member YAM suggests the attack likely involved hackers gaining control of the SERVICE_ROLE function, used in the protocol’s auxiliary components to provide parameters for the crypto minting contract.

According to Grok’s analysis, when users create USR, they initiate an on-chain request and call the requestMint function of the contract, with parameters including:

• _depositTokenAddress: The address where tokens are sent;
• _amount: The amount to be stored;
• _minMintAmount: The minimum expected USR to be received (slippage point).

Then, users send USDC or USDT into the contract. The protocol’s auxiliary SERVICE_ROLE monitors the request, using the Pyth oracle to verify the value of the sent assets, then calls completeMint or completeSwap to determine the actual amount of USR created.

The problem lies in the contract’s complete trust in the mintAmount provided by SERVICE_ROLE, assuming this number has been verified off-chain by Pyth. It does not set an upper limit or verify it with an on-chain oracle but directly executes mint(_mintAmount).

Based on this, YAM suspects the hacker gained control of SERVICE_ROLE, which should be controlled by the project team (possibly due to internal oracle system issues, internal theft, or key theft), and directly set _mintAmount to 50 million during the fake minting process, thus creating 50 million USR with 100,000 USDC.

Finally, Grok concludes that Resolv failed to consider that the address (or contract) used to receive user requests for USR creation could be controlled by hackers when designing the protocol. When the create USR request is sent to the final minting contract, no maximum mint amount is set, and the contract does not use an on-chain oracle for secondary verification. Instead, it blindly trusts all parameters provided by SERVICE_ROLE.

Preventive measures are also insufficient.

Besides hypothesizing about the cause of the cyberattack, YAM also points out the project’s lack of preparedness in crisis management.

YAM stated on X that Resolv Labs only paused the protocol for three hours after the initial attack, with about an hour needed to gather the four signatures required for multi-signature transactions. YAM believes that emergency pause should only require one signature, and this authority should be delegated to team members or trusted external operators whenever possible. This would enhance awareness of on-chain anomalies, improve rapid pause capabilities, and better cover different time zones.

Although proposing to pause a protocol with just one signature seems extreme, requiring multiple signatures from different time zones to pause a protocol could cause significant delays in emergencies. Introducing a trusted third party to continuously monitor on-chain activity or using monitoring tools with emergency pause rights are lessons learned from this incident.

Hacker attacks on DeFi protocols have long been limited to contract vulnerabilities. The Resolv Labs incident serves as a warning to project teams: protocol security assumptions must consider that no part of the protocol can be fully trusted, and all parameter links should undergo at least two layers of verification, even on the server side operated by the project team.