Resolv’s USR stablecoin has depegged sharply after a major exploit laid bare fundamental flaws in the protocol, leaving it heavily undercollateralized.
The platform now holds roughly $95 million in assets against $173 million in liabilities, putting it in a position of effective insolvency. USR is currently trading around $0.27, down about 72% over the past week and far below its intended $1 peg.
The incident occurred around 2:21 a.m. UTC on Sunday, when an attacker exploited a vulnerability in the minting contract. By abusing the flaw, the attacker minted approximately 80 million unbacked USR tokens across two transactions and extracted roughly $25 million, according to onchain data and blockchain security firms.
The attacker then rapidly exited positions, swapping USR into USD Coin and Tether on decentralized exchanges before converting the proceeds into Ethereum. The funds are now held in wallets containing around 11,409 ETH—valued at roughly $23.7 million—along with $1.1 million in wrapped USR.
USR, which uses a delta-neutral hedging model backed by ETH and BTC, saw its price collapse to as low as $0.025 within minutes on its most liquid pool on Curve Finance. Although it briefly rebounded to around $0.85, it has failed to regain its peg.
Design weaknesses exposed
While the Resolv team initially blamed a compromised private key and targeted infrastructure breach, further analysis pointed to deeper architectural issues.
At the center of the failure was the SERVICE_ROLE—a privileged function within the minting contract responsible for processing swaps—which was controlled by a single externally owned account instead of a multi-signature wallet. The contract also lacked key safeguards such as oracle price checks, mint caps and transaction validation.
This allowed the attacker to deposit just 100,000 USDC and receive 50 million USR in return—roughly 500 times the expected amount—without triggering any alarms.
Ido Sofer, founder of Sodot, said such centralized control points are often overlooked risks. He added that attackers are increasingly targeting sensitive credentials—like developer keys and API access—that don’t directly custody funds but can still enable exploits.
Falling TVL and uncertain recovery
According to DeFiLlama, Resolv’s total value locked peaked near $684 million in February 2025 before steadily declining to around $95 million prior to the exploit, reflecting waning confidence even before the attack.
Resolv said it is working with law enforcement and blockchain analytics firms to trace the stolen funds and pursue recovery. The team has also urged users to avoid trading USR during this period, warning that post-exploit activity could impact recovery efforts.
With liabilities far exceeding assets and confidence severely shaken, restoring USR’s peg appears increasingly unlikely in the near term.
