- An attacker exploited Resolv Labs’ USR minting system to create 80 million unbacked tokens in two transactions, using roughly US$200,000 in initial capital.
- The exploit crashed USR from its US$1 peg to as low as US$0.025 on Curve Finance, with the attacker extracting approximately US$24 million in ETH before protocol functions were paused.
- Security firms disagree on the root cause, and some identified three possible vectors, including a gamed oracle or missing validation checks.
An attacker minted 80 million unbacked USR stablecoins within 17 minutes early Sunday, exploiting a flaw in Resolv Labs’ issuance system and pushing the token as low as US$0.025 (AU$0.035) on Curve.
The exploit allowed roughly US$200,000 (AU$286K) in USDC to generate more than 500 times the expected value. Two mint transactions were executed at 2:21 AM UTC and shortly after, before the activity was detected at 2:38 AM UTC.
Resolv Labs said it paused all protocol functions and is working on recovery. The team stated that collateral backing the system remains intact and that the issue was limited to minting mechanics, a claim questioned by security researchers.
Read more: Bitcoin Hash Rate Drops as Energy Shock Triggers Miner Pressure
Root Cause Disputed
The attacker converted the minted USR into an estimated 9,100 to 11,409 ETH and retains about US$1.1 million (AU$1.56 million) in wrapped USR. Around 36.74 million USR continues to be sold across decentralised exchanges.
Security analysis points to failures in access control and validation. Pashov Security attributed the incident to a private key compromise tied to a privileged “service role” that was controlled by a single externally owned address rather than a multisignature wallet.
Other analysts identified missing oracle verification and the absence of mint limits as contributing factors. Additional scenarios include manipulation of price feeds or gaps between swap request and completion checks.
The rapid increase in supply overwhelmed market demand and broke the token’s dollar peg. Losses were concentrated among users who acquired USR near US$1 (AU$1.42) before the collapse.
DeFi protocols Scramble
Multiple DeFi protocols moved to contain exposure. Euler paused USR-related strategies, Venus halted trading, Lista suspended markets, and Fluid isolated affected vaults. Morpho reported no direct vulnerability but confirmed liquidations in vaults holding USR. Even Ledger’s CTO had a few words about the exploit, calling it bad debt.
USR’s ‘total value locked’ had already fallen from about US$400 million (AU$568 million) in early February to roughly US$100 million (AU$142 million) before the incident. The RESOLV governance token declined 6% to US$0.054 (AU$0.077).
The value extracted in the exploit exceeds the US$26.5 million (AU$37.6 million) in total DeFi losses recorded across February 2026.
Related: Ancient Bitcoin Whales Move Millions as Middle East Tensions Shake Markets
DeFi,Stablecoins#USR #Stablecoin #Crashes #Exploit #Millions #Unbacked #Tokens #Flood #Market1774258657
