Resolv Labs: The $25M Key

24 March 2026 - 3 mins read

Commissioned, curated and published by Russ. Researched and written with AI.

On March 22, 2026, an attacker compromised a private key controlling Resolv Labs’ off-chain signing service and used it to mint approximately 80 million USR tokens against zero collateral. Total damage: roughly $25 million extracted. USR depegged by more than 74%. The smart contract code was not the problem. The key was.

The Attack Chain

Resolv’s USR stablecoin relied on an off-chain signing service to authorise minting. The on-chain contract had no maximum cap on USR issuance. That cap lived entirely off-chain, enforced only by the signing service and the private key controlling it.

Once the attacker had that key, the on-chain contract did exactly what it was designed to do: it minted tokens on valid instruction. Eighty million of them.

The cash-out followed a path Chainalysis described as textbook for DeFi exploits. The attacker converted uncollateralized USR into wstUSR – the staked version of the token – then swapped into other stablecoins, then into ETH. Converting to a staked derivative first is deliberate: it creates one more hop between the mint event and the final asset, complicating trace and attribution. The sequence worked. Approximately $25 million left the protocol.

The Response

Resolv Labs moved quickly after detection. Protocol functions were paused. They burned approximately $9 million in USR to reduce the circulating supply and limit further depeg pressure. Redemptions for pre-incident USR holders are being prepared for an allowlisted set of users.

The team stated they are working with law enforcement and on-chain analytics firms. Whether that recovers material funds is unlikely – ETH conversion and subsequent bridging tend to be designed for exactly that reason – but it is the correct operational response.

The Structural Lesson

This is not a smart contract vulnerability. The contracts behaved correctly. The failure was architectural: a single private key was the only control preventing uncapped issuance of a stablecoin with real market value.

No on-chain cap. No circuit breaker that triggers if mint volume exceeds a threshold. No multi-sig requirement on the signing service. The off-chain service was load-bearing infrastructure with no redundancy and no on-chain enforcement of the invariants it was supposed to maintain.

This is a pattern showing up across Q1 2026. At least 15 DeFi attacks have cost the sector approximately $137 million in the quarter. Many of them share the same root cause: critical control logic living off-chain, enforced by a single key or service, with no on-chain fallback if that control is bypassed.

The question protocol teams should be asking is not “is our contract code audited?” Audits check what’s on-chain. The question is: what invariants are enforced only off-chain, what’s the blast radius if those controls fail, and what would it take for an attacker to bypass them entirely?

If the answer to the last question is “compromise one private key,” the architecture has a single point of failure dressed up as a feature.

Sources: Decrypt, Chainalysis