Besides the Resolv Hack, This Type of DeFi Vulnerability Has Occurred Four Times Already

marsbitPublished on 2026-03-24Last updated on 2026-03-24

Abstract

An attacker exploited a compromised off-chain signing key in the stablecoin protocol Resolv, minting 80 million USR tokens (pegged to USD) from a $100k–$200k USDC deposit within minutes. The stolen keys allowed unlimited minting due to a design flaw—lacking a minting cap—despite multiple audits. The attacker then converted USR to its wrapped version (wstUSR) and dumped it on DEXs, netting ~11,400 ETH (~$24M). This caused USR to depeg, trading at ~$0.25. The depeg triggered a second-phase crisis: lending markets (including Morpho and Fluid/Instadapp) using wstUSR as collateral relied on hardcoded oracles that priced it near $1 instead of its real market value. Arbitrageurs bought cheap wstUSR, used it as overvalued collateral to borrow stablecoins, and amplified losses. Fluid absorbed over $10M in bad debt; Morpho had 15 vaults exposed. This incident repeats a known DeFi pattern: similar oracle failures occurred with Usual Protocol (Jan 2025), Stream Finance (Nov 2025), and Moonwell (late 2025), where mispriced collateral led to massive bad debt. Critics highlight flawed incentives in the "curator" model (e.g., Gauntlet), where third-party vault managers prioritize high yields without adequate risk controls, and protocols outsource risk management without enforcing safeguards. The root cause is systemic: over-reliance on static oracles for volatile assets and insecure off-chain infrastructure.

On a quiet Sunday morning, someone turned $100,000 into $25 million in about 17 minutes.

The target was the yield-bearing stablecoin protocol Resolv. Before Resolv paused its contracts, its dollar-pegged stablecoin, USR, had fallen to a few cents. As of this writing, USR remains severely depegged, trading at around $0.25, down more than 70% this week.

The shockwaves extended far beyond Resolv itself. Fluid/Instadapp absorbed over $10 million in bad debt in a single day, experiencing a net outflow of over $300 million on the same day, a record single-day outflow in its history. 15 Morpho vaults were affected. Euler, Venus, Lista DAO, and Inverse Finance all subsequently suspended USR-related markets.

The mechanism that allowed this vulnerability's losses to spread—pricing a depegged stablecoin at $1 in lending markets—is not new. This has happened at least four times in the past 14 months.

How the Vulnerability Worked

USR minting followed a two-step off-chain process: Users deposited USDC via the `requestSwap` function, and a privileged off-chain signing key, `SERVICE_ROLE`, would then finalize the amount of USR to be issued via `completeSwap`.

The contract had a minimum output limit but no maximum limit. The contract executed whatever the key holder signed.

The attacker gained access to this key through Resolv's AWS Key Management Service. They submitted two USDC deposits totaling approximately $100,000 to $200,000, then used the stolen key to authorize the minting of 80 million USR in return. On-chain data shows two transactions of 50 million USR and 30 million USR, both completed within minutes.

"The Resolv USR exploit wasn't a bug—it was a feature operating as designed. That's the problem," said on-chain analyst Vadim (@zacodil).

The SERVICE_ROLE was a regular external owned address (EOA), not a multi-signature wallet. The admin key had multi-sig protection, but the minting key did not.

"Resolv underwent 18 audits," Vadim said, "One of the findings was literally named 'Missing Cap'."

The attacker exited: They first converted the minted USR to wstUSR (a staked wrapped version) to slow the market impact, then swapped it for ETH via Curve, Uniswap, and KyberSwap. The attacker's wallet holds approximately 11,400 ETH (around $24 million). The underlying ETH and BTC collateral pools supporting the entire system remained intact as the stablecoin collapsed.

How the Contagion Spread

The Resolv exploit was effectively two events stacked on top of each other. The first was the minting exploit, the second was the failure of connected lending markets.

When USR and wstUSR crashed, every lending market that accepted them as collateral faced the same problem: their oracles were still pricing wstUSR at close to $1.

Omer Goldberg, founder of risk analysis firm Chaos Labs, documented this mechanism. His key finding: "The oracle was hardcoded, so it never repriced. wstUSR was marked at $1.13, while trading on secondary markets for around $0.63."

Traders bought wstUSR cheaply on the open market, then used it as collateral on Morpho or Fluid at the oracle price of $1.13, borrowing USDC against it and walking away.

At Fluid, the team secured short-term loans to cover 100% of the bad debt and promised to make every user whole. At Morpho, co-founder Paul Frambot stated that about 15 vaults had significant exposure, all in high-risk, long-tail collateral strategies.

Prominent curator Gauntlet stated that "a few high-yield vaults had limited exposure."

But D2 Finance directly countered this, publishing on-chain data showing Gauntlet's flagship "USDC Core Vault" had allocated $4.95 million to the wstUSR/USDC market. Goldberg later stated that Gauntlet vaults constituted 98% of the lender liquidity in that market.

Frambot said in a written response to The Defiant: "We are constantly working on how to present various risks more comprehensively. However, we don't believe the core issue here is a lack of labeling."

Frambot added: "Morpho is oracle-agnostic, meaning it allows curators to choose any oracle they deem most suitable for a specific market. Morpho is open, permissionless infrastructure designed to outsource risk management to curators."

"It's difficult to enforce objectively 'correct' guardrails in all scenarios," Frambot said, "Imposing constraints at the protocol level also risks hindering legitimate strategies."

While the underlying protocol leaves risk management to curators, some in the industry believe the curators are not fulfilling their duty.

"I believe the curator industry is flawed by design because there is no real curation happening," Marc Zeller said on X.

At the time of publication, Resolv, Gauntlet, and Fluid had not responded to The Defiant's requests for comment.

A Recurring Failure Pattern

This is not a new type of attack. In January 2025, Usual Protocol's USD0++ was hardcoded at $1 by curator MEV Capital in a Morpho vault.

Usual then abruptly adjusted its redemption floor price to $0.87 without warning, locking lenders into the MEV Capital vault, whose utilization rate soared to 100%.

In November 2025, Stream Finance's xUSD collapsed after curators had routed USDC deposits into leverage loops backed by the synthetic stablecoin. When its oracle refused to update, an estimated $285 million to $700 million in assets were at risk on Morpho, Euler, and Silo.

Moonwell suffered two consecutive oracle failures in October and November 2025, resulting in over $5 million in bad debt combined.

What This Means for the Curator Model

Morpho's architecture outsources all risk decisions to third-party "curators," who build vaults, select collateral, set loan-to-value ratios, and choose oracles. The theory is that professional firms have deeper expertise, and competition leads to better risk management, with the protocol enforcing the rules.

But curators earn fees based on the yield generated, creating an incentive to accept higher-risk, higher-yielding collateral (like yield-bearing stablecoins). The problem is that when these stablecoins depeg, the losses are borne by the depositors, not the curators.

In the Resolv incident, some curators' automated bots continued pumping funds into the affected vaults for hours after the exploit, deepening the losses.

The reason for using hardcoded oracles for yield-bearing stablecoins is to prevent unnecessary liquidations triggered by short-term volatility. But this protection only works if the stablecoin remains stable.

On-chain analytics firm Chainalysis stated in a post-mortem that real-time on-chain detection capabilities are needed.

"The on-chain smart contracts were functioning perfectly. The issue clearly lay with the broader system design and off-chain infrastructure," the analytics firm said.

Trending Cryptos

CitreaCTR

wrapped stUSDTWSTUSDT

Velodrome FinanceVELODROME

BrevisBREV

ZRX（0X）ZRX

PancakeSwapCAKE

The Hunter Becomes the Hunted: The Most Profitable MEV Bot Gets Hacked

A well-known and highly profitable Ethereum MEV Bot, Jaredfromsubway.eth, suffered a sophisticated on-chain attack this Saturday, losing over $7.5 million. Analysis by Blockaid and others reveals this was not a conventional phishing or smart contract exploit, but a targeted "counter-MEV honeypot attack." The attacker meticulously laid a trap over several weeks, deploying 66 fake token contracts and liquidity pools disguised as major assets like WETH and USDC. These pools created the illusion of arbitrage opportunities. The MEV Bot's automated system detected these signals, executed trades, and in the process, granted approval permissions to attacker-controlled contracts. These approvals were not revoked, creating a persistent vulnerability. The attacker then exploited this in a single transaction, draining the bot's ETH, USDC, and USDT holdings. Jaredfromsubway.eth is notorious as one of Ethereum's most active and profitable MEV Bots, primarily known for executing "sandwich attacks" to profit from transaction slippage. Estimates suggest it has earned tens of millions in MEV revenue. The incident highlights escalating crypto security threats, demonstrating that even top-tier automated "predators" are vulnerable to novel, logic-based attacks designed to exploit their own operational rules. Following the hack, an unverified X account impersonating Jaredfromsubway.eth emerged, falsely offering a bounty for the return of funds, prompting developer warnings for users to stay vigilant.

marsbit27m ago

Hunter Becomes the Hunted: The Most Profitable MEV Bot Gets Hacked

The prominent Ethereum MEV bot address Jaredfromsubway.eth suffered a targeted on-chain attack, losing over $7.5 million. The incident was identified as a "counter-MEV honeypot attack," where the attacker deployed numerous fake token contracts and liquidity pools over several weeks, mimicking mainstream assets like WETH and USDC to create seemingly profitable arbitrage opportunities. The MEV bot, designed to automatically detect and execute such trades, interacted with the malicious setup. During the process, it granted approvals to attacker-controlled contracts, which were not promptly revoked. The attacker later exploited these persistent permissions in a single transaction, draining the bot's holdings of ETH, USDC, and USDT. Jaredfromsubway.eth is known as one of Ethereum's most active and profitable MEV bots, primarily executing "sandwich attacks" to extract value from user transactions. Its operations have been linked to a majority of such attacks on the network. This event highlights the evolving security threats in crypto, demonstrating that even sophisticated, rule-exploiting systems can become targets of carefully designed behavioral traps. Following the theft, an impersonator account on X falsely claimed to offer a bounty for the return of the funds, prompting warnings from developers.

Odaily星球日报34m ago

Hunter Becomes the Hunted: The Most Profitable MEV Bot Gets Hacked

Odaily星球日报34m ago

The Reality of Payments in Latin America Is Not What You Think

The payment landscape in Latin America is undergoing a fundamental shift, driven by on-the-ground realities that challenge common perceptions. Based on over 500 hours of field research across the region, key insights emerge. Firstly, QR code payments, like Brazil's Pix, are becoming the dominant payment method in most emerging markets, overtaking cards. However, these domestic instant payment systems lack international interoperability, creating a significant gap for cross-border users. Secondly, the narrative around crypto cards is often misunderstood; their primary volume comes from high-net-worth professionals using them for salary conversions (e.g., USDT to local currency via Pix), not retail micro-payments. Competition in payments is shifting from customer acquisition to controlling the settlement layer, leading fintechs to acquire banking licenses for efficiency. Thirdly, treating "Latin America" as a single market is a mistake. Countries like Argentina, Brazil, and Mexico have distinct economic realities, user segments, and regulatory approaches. Brazil alone has at least five distinct user segments with different financial flows. Overlooked markets like Guatemala, Honduras, and El Salvador (the "forgotten five") offer high remittance volumes with lower competitive density. Finally, regulation in Latin America is often ahead of the US, with clearer frameworks for digital assets and a pragmatic approach from regulators focused on safety rather than obstruction. The margin on stablecoin forex is rapidly compressing toward zero, meaning future winners will be those building value-added services on top of the infrastructure, not just the cheapest exchange.

marsbit42m ago

The Reality of Payments in Latin America Is Not What You Think

marsbit42m ago

Making Music in a Bear Market: The Survival Experiment of a Bitcoin Band

"Orange Pill Jam: A Bitcoin Band's Survival in the Bear Market" Orange Pill Jam is a musical group exploring themes of financial sovereignty and privacy, born from the Bitcoin community. Formed after singer Mermaid performed her song "Dollar Apocalypse" at a 2022 conference, the band creates music intended for both Bitcoin enthusiasts and general audiences. Their creative process involves Mermaid writing lyrics and melodies, which producer/multi-instrumentalist Michi then shapes with a precise, rhythm-focused approach, often demanding numerous retakes to achieve his unique standard of timing. Their songs, like "Cypherpunks' Manifesto" and "Fire of Freedom," tackle concepts of digital privacy, the pitfalls of "free" services, and personal sovereignty, influenced by experiences in places like El Salvador. Despite operating in a crypto bear market with a Copyleft model (offering music for free sharing/remixing and accepting optional Bitcoin donations), they face practical challenges. Their growth is slow on platforms like YouTube and Spotify, which aren't optimized for their niche content. The band also navigates the rise of AI-generated music. While acknowledging AI's efficiency for certain tasks, they believe human creativity occupies a unique space that algorithms cannot replicate—the ability to create new genres and capture intangible rhythmic feeling. For Orange Pill Jam, the core argument for both Bitcoin in a downturn and human artistry in the AI age lies in this irreplaceable, intentional, and imperfectly human creative process. Their project persists as an anti-algorithm experiment, valuing the unquantifiable impact of music over scalable metrics.

marsbit48m ago

Making Music in a Bear Market: The Survival Experiment of a Bitcoin Band

marsbit48m ago

Google's AI Talent Loss: A Stress Test or a Prelude to an 'Obituary'?

The departure of high-profile AI talent from Google, including transformer pioneer Noam Shazeer and AlphaFold's John Jumper, has sparked debate about the company's competitive position. However, this is less a sign of decline than a pressure test typical of the pre-IPO talent wars among AI giants like OpenAI and Anthropic. Google's true strength lies not just in models but in its unparalleled full-stack position: extensive AI research, proprietary infrastructure (TPU, Google Cloud), a massive user base across products (Search, YouTube, Android), and established enterprise relationships. It is simultaneously a competitor and a key infrastructure provider for rivals. While facing the innovator's dilemma inherent to protecting its core search business, Google is aggressively integrating AI across its ecosystem. The narrative shouldn't focus on individual departures but on Google's systemic advantages—its deep talent pool, integrated product strategy, and capacity to compete across every layer of the AI stack for the long term.

marsbit54m ago

Google's AI Talent Loss: A Stress Test or a Prelude to an 'Obituary'?

marsbit54m ago

Trading

Spot

Futures

Hot Articles

How to Buy RESOLV

Welcome to HTX.com! We've made purchasing Resolv (RESOLV) simple and convenient. Follow our step-by-step guide to embark on your crypto journey.Step 1: Create Your HTX AccountUse your email or phone number to sign up for a free account on HTX. Experience a hassle-free registration journey and unlock all features.Get My AccountStep 2: Go to Buy Crypto and Choose Your Payment MethodCredit/Debit Card: Use your Visa or Mastercard to buy Resolv (RESOLV) instantly.Balance: Use funds from your HTX account balance to trade seamlessly.Third Parties: We've added popular payment methods such as Google Pay and Apple Pay to enhance convenience.P2P: Trade directly with other users on HTX.Over-the-Counter (OTC): We offer tailor-made services and competitive exchange rates for traders.Step 3: Store Your Resolv (RESOLV)After purchasing your Resolv (RESOLV), store it in your HTX account. Alternatively, you can send it elsewhere via blockchain transfer or use it to trade other cryptocurrencies.Step 4: Trade Resolv (RESOLV)Easily trade Resolv (RESOLV) on HTX's spot market. Simply access your account, select your trading pair, execute your trades, and monitor in real-time. We offer a user-friendly experience for both beginners and seasoned traders.

4.8k Total ViewsPublished 2025.06.11Updated 2026.06.02

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of RESOLV (RESOLV) are presented below.