The cryptocurrency market has once again experienced a severe shock due to a security vulnerability. The USR stablecoin, belonging to the Resolv protocol, collapsed rapidly after a critical flaw in its minting contract was exploited.
The attack began in the early hours of Sunday. According to on-chain data, the attacker managed to mint approximately 50 million USR by depositing only 100,000 USDC. A second transaction resulted in a total of approximately 80 million unbacked tokens, hundreds of times exceeding the system's limits.
These minted tokens were quickly converted to USDC and USDT on decentralized exchanges, and then to Ethereum. It has been determined that wallets controlled by the attacker currently hold approximately 11,409 ETH, worth around $23.7 million at current prices. Additionally, approximately $1.1 million worth of wrapped USR is held at a different address.
Stablecoin Collapses in Minutes
USR was theoretically designed as a stablecoin pegged to $1. However, this balance was rapidly disrupted after the attack. In the most liquid pool on Curve, the price dropped to $0.025 in just 17 minutes. This was recorded as one of the harshest examples of the "depeg" scenario, one of the most critical risks for stablecoins.
Although the price later recovered to $0.85, it could not regain its peg. According to the latest data, USR is still trading at a significant discount. This situation caused token holders to experience instant and serious losses.
Resolv Labs stated in its announcement that all transactions on the protocol have been halted and the collateral pool is "completely intact." However, analysts emphasize that the problem here is not a direct loss of assets but rather a supply inflation. In other words, although the collateral in the system remained in place, the unbacked tokens released into the market diluted the existing supply, causing the price to collapse.
The source of the problem: A single key, unlimited authority
On-chain analysis revealed serious design flaws at the heart of the attack. The most striking point was that the privileged role (SERVICE_ROLE) managing mint transactions was controlled by only one external account (EOA). This account lacked any multisignature (multisig) protection. In addition, the contract was found to be missing basic security mechanisms such as oracle control, quantity verification, and maximum minting limit. This allowed the attacker to produce tokens almost without limit in the system.
According to experts, such vulnerabilities show how great a risk keys that do not directly hold funds but have critical authority over the system pose. A significant portion of recent attacks target precisely these "invisible vulnerabilities."
Chain reaction to the DeFi ecosystem
The decline did not only affect USR investors. Significant fluctuations were also seen in DeFi platforms where the token is used as collateral. It is particularly noted that some users may have bought USR at a low price and used this asset, which is still valued at $1 in the system, as collateral to obtain loans. This situation may have led to liquidity drains in the relevant pools. On the other hand, it is being discussed that the RLP pool, which acts as the insurance layer of the Resolv ecosystem, may also have been damaged. Positions held by large investors here could open the door to additional losses.
Exchange warning: Delisting risk is on the table
Following these developments, South Korea's leading cryptocurrency exchanges Upbit and Bithumb announced that they have added the RESOLV token to their watchlist. This decision shows that uncertainties about the future of the asset have increased. While being added to the watchlist does not directly mean delisting, it means that issues such as liquidity, transparency, technical infrastructure, and investor security will be re-evaluated. The delisting of the token from exchanges is also among the possibilities at the end of the process.
