Exchanging 200,000 for nearly 100 million, DeFi stablecoins face another attack

Written by: Eric, Foresight News

Around 10:21 Beijing time today, Resolv Labs, which issues the stablecoin USR using a Delta neutral strategy, was hacked. An address starting with 0x04A2 minted 50 million USR from the Resolv Labs protocol using 100,000 USDC.

As the incident came to light, USR plummeted to around $0.25, and as of the time of writing, it has rebounded to about $0.8. The price of the RESOLV token also saw a temporary drop of nearly 10%.

Subsequently, the hacker replicated the method and minted 30 million USR again using 100,000 USDC. With the significant decoupling of USR, arbitrage traders quickly acted, and many lending markets on Morpho that support USR, wstUSR, and other collateral types have been nearly emptied, while Lista DAO on the BNB Chain has also suspended new loan requests.

The impact is not limited to these lending protocols. In the design of the Resolv Labs protocol, users can also mint a more volatile and higher-yielding RLP token, but they need to bear compensation responsibilities when the protocol incurs losses. Currently, the circulation of RLP tokens is nearly 30 million, with the largest holder, Stream Finance, holding over 13 million RLP, resulting in a net risk exposure of about $17 million.

Indeed, Stream Finance, which previously suffered due to the xUSD incident, may be hit again.

As of the time of writing, the hacker has converted USR into USDC and USDT and continues to buy Ethereum, having already purchased over 10,000. With 200,000 USDC, they have extracted over $20 million in assets, finding their "hundredfold coin" during the bear market.

Another Exploitation Due to "Lack of Rigor"

The sharp decline on October 11 last year caused many stablecoins issued using Delta neutral strategies to incur collateral losses due to ADL (automatic deleveraging). Some projects that executed strategies using altcoins suffered even heavier losses or went directly bankrupt.

The attacked Resolv Labs also issued USR using a similar mechanism. The project announced in April 2025 that it had completed a $10 million seed round led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, and launched the RESOLV token in late May to early June.

However, the reason for Resolv Labs being attacked was not due to extreme market conditions, but rather the "lack of rigor" in the design of the USR minting mechanism.

Currently, no security company or official has analyzed the reasons for this hacking incident. The DeFi community YAM has preliminarily concluded through analysis that the attack was likely caused by the hacker controlling the SERVICE_ROLE used by the protocol's backend to provide parameters for the minting contract.

According to Grok's analysis, when users mint USR, they initiate a request on-chain and call the contract's requestMint function, with parameters including:

_depositTokenAddress: the address of the deposited token;

_amount: the amount deposited;

_minMintAmount: the minimum expected amount of USR to receive (to prevent slippage).

Afterward, users deposit USDC or USDT into the contract, and the project's backend SERVICE_ROLE monitors the request, using the Pyth oracle to check the value of the deposited assets, and then calls the completeMint or completeSwap function to determine the actual amount of USR minted.

The problem lies in the fact that the minting contract completely trusts the _mintAmount provided by the SERVICE_ROLE, believing that this number has been verified off-chain by Pyth, thus no upper limit was set, nor was there any on-chain oracle verification, directly executing mint(_mintAmount).

Based on this, YAM suspects that the hacker controlled the SERVICE_ROLE that should have been controlled by the project team (possibly due to internal oracle failure, collusion, or key theft), directly setting the _mintAmount to 50 million during minting, achieving the attack event of minting 50 million USR with 100,000 USDC.

Ultimately, Grok concluded that Resolv did not consider the possibility that the address (or contract) used to receive user minting requests could be controlled by hackers when designing the protocol. When the request to mint USR was submitted to the contract that ultimately mints USR, no maximum minting amount was set, nor was there a secondary verification using an on-chain oracle, directly trusting all parameters provided by the SERVICE_ROLE.

Prevention Measures Were Also Inadequate

In addition to speculating on the reasons for the hack, YAM also pointed out the project's inadequate preparation for crisis response.

YAM stated on X that Resolv Labs only paused the protocol three hours after the hacker's first attack, with about one hour of that delay coming from the need to collect four signatures for the multi-signature transaction. YAM believes that an emergency pause should only require one signature, and that authority should be distributed as much as possible to team members or trusted external operators, which would increase awareness of on-chain anomalies, improve the likelihood of a quick pause, and better cover different time zones.

While the suggestion that a single signature could pause the protocol is somewhat radical, requiring multiple signatures across different time zones to pause the protocol could indeed delay significant matters in an emergency. Introducing trusted third parties that continuously monitor on-chain behavior or using monitoring tools with emergency pause protocol authority are lessons learned from this incident.

Hacker attacks on DeFi protocols are no longer limited to contract vulnerabilities. The incident involving Resolv Labs serves as a warning to project teams: assumptions about protocol security should not trust any single link, and all parameter-related processes must undergo at least secondary verification, including those operated by the project team itself.