Resolv Labs confirmed on Sunday that its stablecoin USR had lost its dollar peg following an exploit that allowed an attacker to create tens of millions of unbacked tokens. The project announced on X that the attacker minted 50 million USR without proper backing, prompting the team to pause all protocol functions to prevent further damage. Resolv Labs stated it is actively working on recovery measures in the wake of the incident.
Crypto security firm PeckShield reported that the attacker was able to mint an additional 30 million USR tokens beyond the initial 50 million, bringing the total to 80 million unbacked tokens. An X account called yieldsandmore had flagged the incident earlier on Sunday, noting that on-chain data showed the attacker deposited just $100,000 worth of the stablecoin USDC to trigger the initial mint. The precise mechanism behind the exploit remained under investigation.
Crypto fund D2 Finance offered analysis suggesting the minting function on USR’s contract was broken in some way. The firm outlined three possible causes: the oracle was manipulated, an off-chain signer was compromised, or validation between a minting request and its completion was simply absent. D2 Finance described the attacker’s subsequent moves as a textbook decentralized finance cashout executed at speed.
After minting the tokens, the attacker distributed the 50 million USR across multiple crypto protocols, swapping them for the stablecoins USDC and USDt before converting the proceeds into Ether. D2 Finance noted that USR was selling as low as 50 cents on some trades as liquidity deteriorated and slippage worsened across protocols. Multiple failed transactions were visible on-chain, reflecting the urgency of the attacker’s exit. The firm estimated total extracted value at approximately $25 million.
The token reached its lowest point on the Curve Finance USR/USDC pool, crashing to 2.5 cents at 2:38 am UTC on Sunday, just 17 minutes after the initial 50 million tokens were minted. That pool is USR’s most liquid venue, recording a 24-hour volume of $3.6 million according to DEX Screener. The pool has since partially recovered, trading at around 84.5 cents. According to CoinGecko, USR is currently trading at approximately 87 cents, roughly 13% below its intended one-dollar peg.
The incident occurs against a broader backdrop of shifting tactics among crypto attackers. Hacks across the crypto sector declined sharply in February, with losses totaling $49 million compared to $385 million in January, as attackers have increasingly favored phishing scams over direct protocol exploits. The USR breach represents a notable exception to that trend, demonstrating that smart contract vulnerabilities remain a significant risk for decentralized finance protocols.
Originally reported by CoinTelegraph.
