- Resolv Labs’ USR stablecoin plummeted after a private key exploit.
- The attacker minted 80 million USR tokens using less than $200,000 in collateral.
- Vault curators on Morpho with exposure to USR also suffered damages.
On Sunday, the decentralised finance protocol Resolv Labs revealed that the minting process for its native stablecoin had been exploited.
The attacker created 80 million in unbacked USR tokens after gaining access to the project’s private keys, Resolv Labs said Monday morning.
With those tokens minted, the attacker then swapped the USR tokens for staked versions and swapped them for Circle’s dollar-pegged stablecoin before using those holdings to buy Ether.
All in all, they made off with roughly $23 million in Ether, according to onchain data, and left USR tokenholders in the lurch.
CoinGecko shows that the USR stablecoin is now trading below $0.4, having fallen as low as $0.02.
The project’s mint and redeem functions have been turned off to mitigate further damage, the Resolv team said.
Resolv Labs’ stablecoin maintains its peg by leveraging trading strategies that balance long and short positions across volatile assets.
When users deposit Ether to mint USR, the protocol simultaneously opens equal short positions — bets the price of Ether will drop — so that no matter the asset’s volatility, the USR token is balanced.
The latest exploit, however, had little to do with this mechanism.
Private key exploit
The exploiter at Resolv Labs was able to mint 80 million USR tokens using between $100,000 and $200,000 in collateral after compromising the project’s private keys, according to Chainalysis.
They were able to override the protocol’s logic after accessing Resolv’s key management service on Amazon Web Services.
This notice is issued on behalf of Resolv Digital Assets Ltd. in relation to the Resolv protocol.
Earlier today, a malicious actor gained unauthorized access to Resolv infrastructure through compromised private key, resulting in the minting of approximately $80M of…
— Resolv Labs (@ResolvLabs) March 22, 2026
Private keys are a critical component of smart contracts, as they allow holders to perform actions they want, such as minting millions of a specific token.
The mint contract had no oracle or max mint checks in place to prevent this action, according to the co-founder of AI-enabled onchain explorer Herd, Andrew Whong.
Interoperability strikes back
Resolv Labs and USR holders weren’t the only victims of the exploit.
Various protocols that had integrated the stablecoin were also hit hard, namely those using a curator model to generate yield for their users.
Morpho Labs, a lending protocol that uses a curator model, provided a stark example of how exploits like Resolv’s can ripple across DeFi.
The Morpho protocol allows third-party managers to customise their lending pools and establish their own security parameters and token listings. These managers are called curators.
The risk falls on the curators of these pools rather than Morpho, should something go wrong.
“I want to reiterate that there is no vulnerability in Morpho contracts. They are safe and operating as intended,” Merlin Egalite, a confounder at Morpo, said on Monday.
“For guidance on vaults that may have exposure to USR or Resolv-related assets, we recommend following the relevant curator communications.”
Gauntlet, Re7 Labs, kpk, and 9summits were Morpho curators that had created customised pools — called vaults — with exposure to USR.
In some cases, these curators had automated liquidity services that continued to provide liquidity to their USR vaults hours after the exploit, further aggravating damages, the founder of Chaos Labs, Omer Goldberg, said.
In total, roughly 15 vaults with more than $10,000 in liquidity were impacted by the Resolv exploit, said Morpho co-founder Paul Frambot.
“Curators have responded quickly to a challenging situation with the Morpho team assisting where needed,” he said.
“That said, we will continue working with curators to further improve the tools available to help them through future events.”
Liam Kelly is DL News’ Berlin-based DeFi correspondent. Have a tip? Get in touch at liam@dlnews.com.
