Disclaimer: This post was researched and drafted with AI assistance. All facts have been verified against primary sources.
What’s New This Week
The Resolv/USR exploit on March 22 – covered previously here and here – has a second chapter. While most coverage focused on the $23.6m extracted via the compromised key, a quieter loss event was unfolding in parallel: contagion spreading into Morpho lending markets through a completely different mechanism. Not a hack. Not a bug in the traditional sense. An oracle that refused to acknowledge what the market was telling it.
Changelog
| Date | Summary |
|---|---|
| 27 Mar 2026 | Initial publication. |
The Oracle That Didn’t Move
When the attacker dumped $80m of unbacked USR into DEX pools, the market price of USR briefly collapsed to $0.05. wstUSR – the wrapped, yield-bearing version used as collateral in Morpho vaults – followed it down.
Morpho vaults did not get the memo. According to the Steakhouse Financial DeFi Markets Update from March 26, the vaults kept valuing wstUSR collateral at a hardcoded $1.13, assuming full peg throughout. The market price was well below that point.
That gap – between the hardcoded collateral value and the actual market price – is all an attacker needs. The mechanics are straightforward: buy wstUSR at distressed prices on the open market, deposit it as collateral at the hardcoded $1.13 valuation, borrow healthy USDC against it at close to face value. Drain the vault’s liquidity. Exit.
According to Morpho’s own statement, approximately 15 vaults with non-negligible exposure (above $10k each) were impacted.
This Isn’t New – But It Keeps Happening
Hardcoded or lagging oracle prices during depegs is a well-understood failure mode. It shows up in every major collateral incident. The pattern is always the same: the oracle design makes an assumption about peg stability that holds under normal conditions, and that assumption becomes the attack surface the moment conditions stop being normal.
The specific failure here is that the oracle didn’t have a circuit breaker – some mechanism to halt or reprice if market price diverges from the hardcoded value by more than some threshold. A 1% deviation threshold would have been triggered almost immediately. At $0.05 per USR, you’re looking at a 95%+ divergence from the assumed $1.00 peg.
This is a design choice, not an oversight. Hardcoded prices are simpler to implement, cheaper to operate, and less susceptible to oracle manipulation attacks – the logic being that if you use a live price feed, an attacker can manipulate that feed. The trade-off is that you create exact the kind of arbitrage window that opened on March 22.
What Vault Operators Can Learn From Steakhouse’s Response
Steakhouse Financial had zero exposure. Their systems flagged a 1.61% USR deviation at 02:21 UTC and completed full exits across all vaults by 03:02 UTC – 41 minutes from detection to clean. They had also never accepted RLP (Resolv’s junior tranche) as collateral, citing its concentrated risk profile.
That 41-minute exit window is worth sitting with. It implies an automated monitoring system with clear thresholds and pre-approved response actions. The alternative – someone waking up, assessing the situation, and manually executing exits – would likely have been far slower, and far more expensive.
The Morpho vaults that took losses presumably had no equivalent tripwire. At minimum, any vault accepting collateral with a hardcoded price should be monitoring market price deviation and either triggering an automated response or alerting someone who can.
The Actionable Part
If you’re building or managing DeFi vaults with yield-bearing collateral: the question to answer right now is what happens to your collateral’s oracle price if the underlying depegs by 10%, 50%, or 90%. If the answer is “the oracle doesn’t move,” you have an open arbitrage window. The size of your loss depends on how fast someone finds it and how much liquidity is available to drain.
The 15 vaults that got hit weren’t using exotic collateral. wstUSR was a legitimate, audited, yield-bearing stablecoin product right up until it wasn’t. The risk wasn’t hidden – it was hardcoded.