TL;DR
Hacker Drained $25 Million on a Sunday Morning
On Sunday, March 22, 2026, the Resolv USR protocol was hit by one of the more technically sophisticated attacks in the DeFi sector this year. The attacker began by depositing a modest $100,000 in USDC via the requestSwap function in the USR Counter contract – and received back approximately 50 million unbacked USR tokens, according to analyses from crypto fund D2 Finance. This corresponds to a 500x multiplier on the deposit.
The attacker then minted an additional 30 million USR, bringing the total number of fake tokens to 80 million. These were quickly exchanged for USDC, USDt, and finally Ether via decentralized exchanges like Curve and Uniswap – a rapid and aggressive withdrawal strategy that immediately destabilized the price mechanism.
What Went Wrong?
The cause of the vulnerability has not yet been definitively confirmed, but several actors point in the same direction. DeFi analysis profile YAM indicates in a preliminary analysis that the attacker likely gained control over the SERVICE_ROLE function, which supplies parameters to the minting contract. This allowed bypassing normal validation checks between minting request and execution.
Security firm Pashov, which conducted an audit of Resolv's staking module in July 2025, leans towards the root cause being an operational security error – possibly a compromised private key pair – rather than a fundamental design weakness in the protocol. D2 Finance also mentions the possibility of a manipulated oracle or a compromised off-chain signing instance.
Dramatic Depeg and Chaotic Market Reaction
As the fake tokens began to dump onto the market, the USR price collapsed. On Curve Finance, the price hit a low of 2.5 cents – a drop of nearly 97.5 percent from its dollar peg. Other platforms showed prices between 14 and 25 cents during the worst moments. According to reports from The Defiant, the token recovered somewhat – to between 42 and 87 cents depending on the platform and time – but remained far below its intended value of one dollar.
Protocols Lido, Morpho, and Aave, all of which had exposure to USR, reacted quickly by pausing markets or isolating vaults to limit further contagion.
Resolv Labs: Collateral Holdings Intact
Resolv Labs confirmed the attack and immediately paused all protocol functions. In a statement, the team emphasized that the collateral holdings "remain fully intact," and that the problem was "isolated to the USR issuance mechanics." According to the company, the loss is related to the creation of unbacked tokens, not to the draining of existing collateral.
The team states that they are working on an investigation and a recovery plan, but as of the publication date, no formal post-mortem or concrete roadmap towards repeg has been presented.
Recovery Will Be Challenging
The prospects of recovering the funds are limited. The attacker quickly converted the stolen assets to ETH, making direct reversal virtually impossible without active cooperation from centralized exchanges or bridge operators. USR holders are warned to treat the token as highly risky until clarity emerges regarding a credible path back to the dollar peg.
