Hassan Maishera
TL;DR
-
USR crashed to $0.025 on Curve before recovering to now hover at $0.31.
-
The depegging comes after an attacker exploited a flaw in Resolv’s USR minting contract, creating ~80 million unbacked tokens from roughly $200,000 in USDC.
USR Loses Peg After an Exploit
A vulnerability in Resolv’s USR stablecoin minting contract was exploited on Sunday, resulting in the creation of roughly 80 million unbacked tokens and the loss of about $25 million, according to multiple blockchain security firms.
The attack began at approximately 2:21 a.m. UTC. The Twitter account YieldsAndMore was among the first to report the incident, sharing Etherscan transaction data showing that the attacker deposited 100,000 USDC into Resolv’s USR Counter contract and received 50 million USR—about 500 times the expected amount. A follow-up transaction minted an additional 30 million USR.
USR, a dollar-pegged stablecoin backed by ETH and BTC through a delta-neutral hedging strategy rather than fiat reserves, plummeted to $0.025 in its most liquid Curve Finance pool within 17 minutes of the initial mint, according to DEX Screener. The token later rebounded to around $0.31 but had not fully restored its peg by Monday morning.
According to blockchain reports, the attacker operating from an address beginning with 0x04A2, swapped the minted USR for USDC and USDT across decentralized exchanges, then converted the proceeds into ETH.
The hacker’s wallet address holds 11,409 ETH, worth about $23.7 million at the time of publication. Furthermore, another wallet address identified as belonging to the attacker holds about $1.1 million worth of wstUSR tokens.
According to Resolv Labs, it had paused all protocol functions and that its collateral pool "remains fully intact" with "no underlying assets" lost. The team added that the issue was isolated to the USR issuance mechanics.
We are currently investigating a security incident involving unauthorized minting of USR.
— Resolv Labs (@ResolvLabs) March 22, 2026
At this stage:
The collateral pool remains fully intact. No underlying assets have been lost.
The issue appears isolated to USR issuance mechanics.
Our immediate priority is to:
1)…
However, onchain analyst Andrew Hong attributed the breach to the protocol's SERVICE_ROLE, a privileged account that completes swap requests. That role was controlled by a standard externally owned account (EOA) rather than a multisig. The minting contract lacked oracle checks, amount validation, and maximum mint limits.
