Resolv Labs Loses $25M in USR Exploit on March 22
Resolv Labs paused operations on March 22, 2026, after an attacker exploited an AWS key to mint $25 million in unbacked USR tokens. The stablecoin depegged immediately.
- 01The exploit was not a smart contract code bug, but a failure of off-chain infrastructure security (compromised AWS KMS key).
- 02The attacker achieved an approximate 83x to 250x return on their initial $100k-$200k collateral deposit.
- 03The incident highlights a recurring systemic risk in DeFi: delegating critical financial logic (minting authority) to off-chain actors without on-chain validation.
Resolv Labs Loses $25M in USR Exploit on March 22
What Happened
The USR stablecoin plummeted from $1 to $0.025 as of March 22, 2026, before partially recovering to approximately $0.56 (Binance Square). An attacker compromised a privileged private key stored in an AWS Key Management Service (KMS) environment (Chainalysis). They deposited approximately $100,000 to $200,000 in USDC to mint 80 million unbacked USR tokens, which were subsequently swapped for ETH, resulting in a theft of roughly $25 million. Resolv Labs paused all protocol operations immediately following the detection of the unauthorized minting activity (Bitcoin.com).
The attacker achieved an approximate 83x to 250x return on their initial $100k-$200k collateral deposit.
Background
This incident highlights a recurring systemic risk in DeFi: delegating critical financial logic (minting authority) to off-chain actors without on-chain validation. Similar exploits have occurred where infrastructure security failed rather than smart contract code. The exploit was not a smart contract code bug, but a failure of off-chain infrastructure security (compromised AWS KMS key) (The Defiant).
The Bull Case
Resolv Labs team stated that the protocol's collateral pool remains intact and that they have initiated a redemption process for USR minted prior to the incident to protect legitimate users. This suggests the core economic value for pre-exploit holders may be preserved if the redemption succeeds.
The Bear Case
Andrew Whong (Co-founder, Herd) criticized the lack of on-chain safeguards, noting the minting contract had no oracle checks, amount validation, or maximum mint limits. Omer Goldberg (Founder, Chaos Labs) highlighted that automated liquidity services continued to provide liquidity to USR vaults hours after the exploit, exacerbating the damage for some users.
What to Watch
Market participants should monitor the redemption process completion timeline and any third-party audit results regarding the AWS KMS configuration. Further price volatility is expected until the collateral pool is verified.
USR stabilization is projected over the next 7 days with neutral confidence, based on the redemption process initiation and collateral pool intactness cited by Resolv Labs.