Resolv Hacker Attack: How a Single Key Leak Led to $23 Million in Illegal Minting

Written by: Chainalysis

Translated by: AididiaoJP, Foresight News

On March 22, 2026, the Resolv DeFi protocol became the latest example demonstrating how quickly the DeFi space can fall into crisis when security assumptions fail. Within just a few minutes, an attacker minted tens of millions of USR stablecoins without collateral backing and extracted approximately $25 million worth of assets, causing the USR price to sharply decouple, and the protocol was forced to halt operations.

At first glance, this appears to be another smart contract vulnerability incident. However, that is not the case. The way the code operates is fully consistent with its design.

In reality, this was an incident caused by over-reliance on off-chain infrastructure. As DeFi systems become increasingly complex and more dependent on external services, privileged keys, and cloud infrastructure, their attack surface has far exceeded the blockchain itself.

This article will review the event and its impact, and further discuss: when off-chain components are compromised, only real-time on-chain threat detection and response mechanisms can serve as a critical last line of defense, making a fundamental difference between controlled incidents and exploits that cause millions of dollars in losses.

Event Summary

The attacker first deposited a small amount of funds (about $100,000 to $200,000 USDC) and used this to interact with Resolv’s USR minting system. Under normal circumstances, depositing USDC would result in receiving an equivalent amount of USR. However, in this incident, the attacker successfully minted about 80 million USR tokens, far exceeding the reasonable amount supported by their deposit.

This happened because the mint approval process relied on an off-chain service that used a privileged private key to authorize the USR minting amount. The smart contract itself did not set any limit on the minting quantity — it only verified the validity of the signature.

After minting the uncollateralized USR, the attacker quickly converted it into staked version wstUSR, then gradually exchanged it for other stablecoins, and finally withdrew as ETH. By the end of the attack, the attacker had profited about $25 million worth of ETH. A large influx of uncollateralized USR into the market caused the token’s price to plummet by about 80%.

Once the event’s outcome was clear, the following analysis will explore how the design flaws in the minting process enabled this attack.

Normal Token Minting Process in Resolv

To understand the cause of this attack, it’s essential to grasp Resolv’s minting mechanism.

When a user wants to mint Resolv’s native token USR, the interaction is not with a fully autonomous on-chain process but involves a two-step off-chain process:

requestSwap — The user deposits USDC into the USR Counter contract and initiates a mint request.

completeSwap — An off-chain service controlled by a privileged key (SERVICE_ROLE) reviews the request and, via a callback to the contract, determines the final USR minting amount.

On the contract level, only a minimum USR output is specified, with no upper limit. There are no checks on the ratio between collateral deposited and USR minted, nor integration of price oracles, total supply caps, or maximum minting ratios. In other words, any amount signed by this key can be executed for minting.

Detailed Attack Steps

Step 1: Gaining access to Resolv’s AWS KMS environment

The attacker compromised Resolv’s cloud infrastructure, gaining access to the AWS Key Management Service environment used by the protocol, which stored the privileged signing keys. With control over the KMS environment, the attacker could use Resolv’s own minting keys to authorize arbitrary minting operations.

Step 2: Minting USR tokens

After obtaining the signing keys, the attacker initiated two swap requests, each supported by a small USDC deposit—totaling about $100,000 to $200,000, spread across multiple transactions. Then, the attacker used the SERVICE_ROLE key to call completeSwap, inputting inflated output amounts, thereby authorizing the minting of tens of millions of USR with only a small USDC input.

On-chain, two major transactions were identified:

• Minting 50 million USR

• Minting 30 million USR

These transactions collectively minted 80 million USR tokens, worth approximately $25 million.

Step 3: Using wstUSR to bypass liquidity constraints

The attacker then converted USR into wstUSR, a derivative token representing shares in a staking pool, whose value is not fixed relative to USR. By converting to wstUSR, the attacker avoided directly impacting the USR market, shifting their position into a less liquid but more interchangeable asset form.

Step 4: Cashing out and exiting

Based on wstUSR holdings, the attacker further exchanged into stablecoins, then converted to ETH, and used multiple decentralized exchanges and cross-chain bridges to transfer funds, maximizing withdrawal amounts and complicating tracing.

As of writing, the attacker’s address still holds:

• About 11,400 ETH (worth roughly $24 million)

• About 20 million wstUSR (valued at approximately $1.3 million after decoupling price)

Impact on USR Holders

This incident caused a direct and severe impact on USR holders.

The 80 million newly minted uncollateralized USR tokens entered liquidity pools on decentralized exchanges. The sudden surge in supply caused the USR’s peg to the dollar to collapse rapidly. The token briefly fell to $0.20, an 80% drop, then recovered somewhat within hours to around $0.56.

Following the event, Resolv Labs issued a statement suspending all protocol functions to prevent further losses and began investigating the breach. Given that the attacker was still attempting to mint more USR, prompt action to prevent further damage was critical, highlighting the importance of rapid response to such attacks.

A Sound Security Philosophy Must Be Based on “Assuming Vulnerabilities Will Occur”

Despite Resolv implementing all standard security measures and undergoing up to 18 security audits, this attack fundamentally boils down to a simple story: the attacker obtained the key, used it to illegally mint assets, and liquidated the assets before the relevant parties could detect the breach.

However, deeper analysis reveals how DeFi protocols inherit the security assumptions and risks embedded in their off-chain infrastructure. The on-chain smart contracts operate exactly as designed, but the overall system design and compromised off-chain infrastructure failed to meet necessary security standards.

In an environment where exploits can be completed within minutes and losses become apparent almost immediately, real-time monitoring and automated response mechanisms are no longer optional but essential safeguards.

Hexagate Prevention Case Study

The Resolv attack underscores the importance of real-time on-chain monitoring for detection. If Chainalysis Hexagate had been in place, the following two detection methods could have been effective:

Method 1: Monitoring abnormal minting events

By configuring Hexagate to monitor calls to the completeSwap function, it could identify cases where the USR minting amount is disproportionately large compared to the collateral deposited.

For example, a deposit of $100,000 USDC resulting in a mint of 50 million USR—an abnormal ratio far beyond normal user operations—could trigger an alert. Setting alert rules such as “if minting exceeds 1.5 times the normal ratio” would allow early detection of such transactions.

Hexagate’s custom monitoring could automatically trigger responses when detecting suspicious minting behavior, such as flagging or halting the contract.

Method 2: Combining GateSigner with custom controls on key contract events

Since the process involves sequential steps—requestSwap and completeSwap—each generating on-chain events, Hexagate’s GateSigner feature combined with event monitoring could be configured to automatically pause the contract upon detecting abnormal mint events, preventing the illegal minting of 80 million USR before any tokens enter the open market.