Besides the Resolv Hack, This Type of DeFi Vulnerability Has Occurred Four Times Already

marsbitDipublikasikan tanggal 2026-03-24Terakhir diperbarui pada 2026-03-24

Abstrak

An attacker exploited a compromised off-chain signing key in the stablecoin protocol Resolv, minting 80 million USR tokens (pegged to USD) from a $100k–$200k USDC deposit within minutes. The stolen keys allowed unlimited minting due to a design flaw—lacking a minting cap—despite multiple audits. The attacker then converted USR to its wrapped version (wstUSR) and dumped it on DEXs, netting ~11,400 ETH (~$24M). This caused USR to depeg, trading at ~$0.25. The depeg triggered a second-phase crisis: lending markets (including Morpho and Fluid/Instadapp) using wstUSR as collateral relied on hardcoded oracles that priced it near $1 instead of its real market value. Arbitrageurs bought cheap wstUSR, used it as overvalued collateral to borrow stablecoins, and amplified losses. Fluid absorbed over $10M in bad debt; Morpho had 15 vaults exposed. This incident repeats a known DeFi pattern: similar oracle failures occurred with Usual Protocol (Jan 2025), Stream Finance (Nov 2025), and Moonwell (late 2025), where mispriced collateral led to massive bad debt. Critics highlight flawed incentives in the "curator" model (e.g., Gauntlet), where third-party vault managers prioritize high yields without adequate risk controls, and protocols outsource risk management without enforcing safeguards. The root cause is systemic: over-reliance on static oracles for volatile assets and insecure off-chain infrastructure.

On a quiet Sunday morning, someone turned $100,000 into $25 million in about 17 minutes.

The target was the yield-bearing stablecoin protocol Resolv. Before Resolv paused its contracts, its dollar-pegged stablecoin, USR, had fallen to a few cents. As of this writing, USR remains severely depegged, trading at around $0.25, down more than 70% this week.

The shockwaves extended far beyond Resolv itself. Fluid/Instadapp absorbed over $10 million in bad debt in a single day, experiencing a net outflow of over $300 million on the same day, a record single-day outflow in its history. 15 Morpho vaults were affected. Euler, Venus, Lista DAO, and Inverse Finance all subsequently suspended USR-related markets.

The mechanism that allowed this vulnerability's losses to spread—pricing a depegged stablecoin at $1 in lending markets—is not new. This has happened at least four times in the past 14 months.

How the Vulnerability Worked

USR minting followed a two-step off-chain process: Users deposited USDC via the `requestSwap` function, and a privileged off-chain signing key, `SERVICE_ROLE`, would then finalize the amount of USR to be issued via `completeSwap`.

The contract had a minimum output limit but no maximum limit. The contract executed whatever the key holder signed.

The attacker gained access to this key through Resolv's AWS Key Management Service. They submitted two USDC deposits totaling approximately $100,000 to $200,000, then used the stolen key to authorize the minting of 80 million USR in return. On-chain data shows two transactions of 50 million USR and 30 million USR, both completed within minutes.

"The Resolv USR exploit wasn't a bug—it was a feature operating as designed. That's the problem," said on-chain analyst Vadim (@zacodil).

The SERVICE_ROLE was a regular external owned address (EOA), not a multi-signature wallet. The admin key had multi-sig protection, but the minting key did not.

"Resolv underwent 18 audits," Vadim said, "One of the findings was literally named 'Missing Cap'."

The attacker exited: They first converted the minted USR to wstUSR (a staked wrapped version) to slow the market impact, then swapped it for ETH via Curve, Uniswap, and KyberSwap. The attacker's wallet holds approximately 11,400 ETH (around $24 million). The underlying ETH and BTC collateral pools supporting the entire system remained intact as the stablecoin collapsed.

How the Contagion Spread

The Resolv exploit was effectively two events stacked on top of each other. The first was the minting exploit, the second was the failure of connected lending markets.

When USR and wstUSR crashed, every lending market that accepted them as collateral faced the same problem: their oracles were still pricing wstUSR at close to $1.

Omer Goldberg, founder of risk analysis firm Chaos Labs, documented this mechanism. His key finding: "The oracle was hardcoded, so it never repriced. wstUSR was marked at $1.13, while trading on secondary markets for around $0.63."

Traders bought wstUSR cheaply on the open market, then used it as collateral on Morpho or Fluid at the oracle price of $1.13, borrowing USDC against it and walking away.

At Fluid, the team secured short-term loans to cover 100% of the bad debt and promised to make every user whole. At Morpho, co-founder Paul Frambot stated that about 15 vaults had significant exposure, all in high-risk, long-tail collateral strategies.

Prominent curator Gauntlet stated that "a few high-yield vaults had limited exposure."

But D2 Finance directly countered this, publishing on-chain data showing Gauntlet's flagship "USDC Core Vault" had allocated $4.95 million to the wstUSR/USDC market. Goldberg later stated that Gauntlet vaults constituted 98% of the lender liquidity in that market.

Frambot said in a written response to The Defiant: "We are constantly working on how to present various risks more comprehensively. However, we don't believe the core issue here is a lack of labeling."

Frambot added: "Morpho is oracle-agnostic, meaning it allows curators to choose any oracle they deem most suitable for a specific market. Morpho is open, permissionless infrastructure designed to outsource risk management to curators."

"It's difficult to enforce objectively 'correct' guardrails in all scenarios," Frambot said, "Imposing constraints at the protocol level also risks hindering legitimate strategies."

While the underlying protocol leaves risk management to curators, some in the industry believe the curators are not fulfilling their duty.

"I believe the curator industry is flawed by design because there is no real curation happening," Marc Zeller said on X.

At the time of publication, Resolv, Gauntlet, and Fluid had not responded to The Defiant's requests for comment.

A Recurring Failure Pattern

This is not a new type of attack. In January 2025, Usual Protocol's USD0++ was hardcoded at $1 by curator MEV Capital in a Morpho vault.

Usual then abruptly adjusted its redemption floor price to $0.87 without warning, locking lenders into the MEV Capital vault, whose utilization rate soared to 100%.

In November 2025, Stream Finance's xUSD collapsed after curators had routed USDC deposits into leverage loops backed by the synthetic stablecoin. When its oracle refused to update, an estimated $285 million to $700 million in assets were at risk on Morpho, Euler, and Silo.

Moonwell suffered two consecutive oracle failures in October and November 2025, resulting in over $5 million in bad debt combined.

What This Means for the Curator Model

Morpho's architecture outsources all risk decisions to third-party "curators," who build vaults, select collateral, set loan-to-value ratios, and choose oracles. The theory is that professional firms have deeper expertise, and competition leads to better risk management, with the protocol enforcing the rules.

But curators earn fees based on the yield generated, creating an incentive to accept higher-risk, higher-yielding collateral (like yield-bearing stablecoins). The problem is that when these stablecoins depeg, the losses are borne by the depositors, not the curators.

In the Resolv incident, some curators' automated bots continued pumping funds into the affected vaults for hours after the exploit, deepening the losses.

The reason for using hardcoded oracles for yield-bearing stablecoins is to prevent unnecessary liquidations triggered by short-term volatility. But this protection only works if the stablecoin remains stable.

On-chain analytics firm Chainalysis stated in a post-mortem that real-time on-chain detection capabilities are needed.

"The on-chain smart contracts were functioning perfectly. The issue clearly lay with the broader system design and off-chain infrastructure," the analytics firm said.

Pertanyaan Terkait

QWhat was the core mechanism that allowed the Resolv exploit to cause widespread contagion across multiple DeFi lending markets?

AThe core mechanism was that the oracles in the lending markets continued to price the depegged stablecoin, wstUSR, at or near its intended $1 peg value, even after it had collapsed in value on the open market. This allowed attackers to buy the cheap stablecoin and use it as overvalued collateral to borrow other assets.

QHow did the attacker initially obtain the ability to mint a massive amount of USR tokens?

AThe attacker gained access to the `SERVICE_ROLE` signing key, which was an external private key (not a multi-sig) used to authorize the `completeSwap` function. This access was obtained through a compromise of Resolv's AWS Key Management Service.

QAccording to the article, this type of vulnerability has occurred at least four times in the past 14 months. Name one other protocols mentioned that suffered from a similar oracle pricing failure.

AThe article mentions that a similar failure occurred with Usual Protocol's USD0++ in January 2025 and with Stream Finance's xUSD in November 2025.

QWhat is the fundamental criticism of the 'curator model' used by protocols like Morpho, as highlighted by the Resolv incident?

AThe fundamental criticism is that the incentives for curators are misaligned. Curators earn fees based on the yield their vaults generate, which incentivizes them to accept higher-risk, higher-yielding collateral (like yield-bearing stablecoins). However, when those assets depeg and cause losses, the losses are borne by the depositors/lenders, not the curators.

QWhat did the post-incident analysis from Chainalysis identify as the root of the problem, rather than a smart contract bug?

AChainalysis stated that the problem was not a smart contract bug, as the contracts were 'functioning exactly as designed.' They identified the root of the problem as 'broader system design and off-chain infrastructure.'

Bacaan Terkait

Unicoin Foundation Diluncurkan, Menyelaraskan Dampak Sosial dengan Masa Depan Crypto yang Bertanggung Jawab

**Yayasan Unicoin Diluncurkan, Selaraskan Dampak Sosial dengan Masa Depan Crypto yang Bertanggung Jawab** Unicoin Inc. meluncurkan Yayasan Unicoin, sebuah organisasi berorientasi misi yang didedikasikan untuk memanfaatkan teknologi blockchain guna menciptakan dampak sosial yang berarti dan memperluas akses ke ekonomi digital. Berdasarkan inisiatif andalannya "Crypto for Good," Yayasan ini bertujuan mendemonstrasikan bagaimana cryptocurrency dapat berkontribusi pada inisiatif sosial dan ekonomi yang lebih luas. Melalui program pendidikan dan pengembangan ekosistem, Yayasan menyediakan titik masuk yang dapat diskalakan ke ekonomi digital bagi komunitas yang kurang terwakili. Pendekatan berbasis pendidikan ini berfokus pada literasi keuangan dan penciptaan kekayaan jangka panjang, serta mempercepat kewirausahaan melalui pelatihan praktis dan dukungan startup. Pembentukan Yayasan ini mencerminkan keselarasan dengan prinsip transparansi dan tata kelola yang bertanggung jawab. Yayasan akan diketuai oleh Robert Newman dan diatur oleh dewan direksi yang terdiri dari 27 investor Unicoin, memastikan keselarasan dengan komunitas. Restrukturisasi ini didukung oleh hampir 99% dari lebih dari 4.000 pemegang saham yang memberikan suara. Yayasan Unicoin diharapkan dapat memperkuat reputasi global Unicoin, memperluas komunitas, dan mendorong adopsi, sekaligus memberdayakan individu dan mendukung proyek-proyek berdampak untuk ekonomi global yang lebih inklusif dan berkelanjutan.

TheNewsCrypto10m yang lalu

Unicoin Foundation Diluncurkan, Menyelaraskan Dampak Sosial dengan Masa Depan Crypto yang Bertanggung Jawab

TheNewsCrypto10m yang lalu

Harga Bitcoin Mungkin Alami Keruntuhan Lain, Tapi Bagaimana Prognosis Jangka Panjangnya?

Harga Bitcoin baru saja mencapai rekor tertinggi baru di atas $78.000, memicu sentimen bullish di pasar crypto. Namun, analis Behdark memperingatkan bahwa kenaikan ini bisa jadi jebakan sebelum harga mengalami koreksi tajam. Pola teknis yang terbentuk menunjukkan kemungkinan penurunan menuju level support kunci. Titik resistensi utama berada di $77.000 dan $80.552, di mana penolakan bisa memicu penurunan. Jika koreksi terjadi, target pertama adalah $72.800, kemudian $67.885. Break di bawah level ini berpotensi memicu crash 10% menuju $67.677, meski masih di atas support siklus $60.000. Analis menyarankan investor untuk waspada terhadap potensi penurunan jangka pendek ini, sekaligus melihatnya sebagai peluang akumulasi sebelum kenaikan jangka panjang.

bitcoinist1j yang lalu

Harga Bitcoin Mungkin Alami Keruntuhan Lain, Tapi Bagaimana Prognosis Jangka Panjangnya?

bitcoinist1j yang lalu

Pasar Prediksi di Bawah Bias

Pasar prediksi sering disalahartikan sebagai perjudian, namun esensinya adalah alat keuangan yang memungkinkan transfer risiko dan penghargaan bagi mereka yang memiliki keunggulan informasi. Berbeda dengan perjudian murni yang bergantung pada keberuntungan, pasar prediksi—seperti poker—dapat menghasilkan keuntungan positif melalui strategi dan analisis yang tepat. Pasar ini menawarkan presisi dalam memprediksi hasil peristiwa dunia nyata, sehingga menghindari gangguan faktor makro yang sering memengaruhi pasar tradisional. Kritik terhadap pasar prediksi sering kali mengabaikan perannya dalam lindung nilai risiko dan efisiensi kapital. Dalam industri seperti olahraga (dengan nilai ekonomi triliunan dolar), pasar prediksi memungkinkan perusahaan mengelola eksposur risiko. Likuiditas pasar secara alami mengatur peristiwa yang relevan, mengurangi potensi insider trading pada peristiwa tidak likuid. Media arus utama sering menentang pasar prediksi karena mengancam monopoli informasi mereka. Namun, pasar ini justru mendemokratisasi akses informasi, memberikan insentif bagi pengungkapan kebenaran, dan melawan narasi yang dikendalikan institusi. Dalam regulasi yang tepat, pasar prediksi dapat menjadi kekuatan positif untuk transparansi dan keadilan informasi.

marsbit2j yang lalu

Pasar Prediksi di Bawah Bias

marsbit2j yang lalu

Mengapa Anda Selalu Rugi di Polymarket? Karena Anda Bertaruh pada Berita, Sementara 'Tukang Perahu' Membaca Aturan

Di Polymarket, banyak trader kalah karena hanya fokus pada berita, sementara trader profesional ("车头") mempelajari aturan pasar dengan cermat seperti pengacara. Artikel ini menjelaskan mekanisme penyelesaian sengketa di Polymarket, yang melibatkan proses proposal, tantangan, diskusi di Discord, dan voting oleh pemegang token UMA. Meski mirip pengadilan tradisional, sistem Polymarket memiliki kelemahan krusial: tidak ada pemisahan antara pihak yang memutuskan dan yang memiliki kepentingan finansial, sehingga hasil voting bisa bias. Diskusi sering tidak efektif karena pengaruh kelompok dan perubahan posisi, serta hasil akhir tidak transparan tanpa penjelasan rinci. Kunci sukses di Polymarket adalah memahami aturan secara mendalam, bukan hanya memprediksi peristiwa.

marsbit2j yang lalu

Mengapa Anda Selalu Rugi di Polymarket? Karena Anda Bertaruh pada Berita, Sementara 'Tukang Perahu' Membaca Aturan

marsbit2j yang lalu

Warsh, Kambing Hitam Berikutnya Trump di Fed?

Kevin Warsh menghadapi audiensi konfirmasi sebagai calon Ketua Fed di tengah tekanan politik dari Donald Trump yang menuntut pemotongan suku bunga signifikan. Warsh, yang pernah kalah dari Powell delapan tahun lalu, mengusulkan reformasi radikal termasuk mengurangi frekuensi komunikasi Fed dan mengecilkan neraca senilai $6,7 triliun. Namun, ia terjebak dalam dilema: menuruti Trump berisiko memicu inflasi seperti era 1970-an, sedangkan menolak bisa membuatnya menjadi sasaran kemarahan politik. Proses konfirmasi Senatif juga terhambat oleh ancaman pemblokiran dari senator Republik Thom Tillis terkait investigasi kriminal terhadap Powell. Analis memperingatkan masa jabatan Warsh mungkin singkat, dengan pasar mempertanyakan kemampuannya menyeimbangkan tekanan politik dengan kredibilitas institusi.

marsbit2j yang lalu

Warsh, Kambing Hitam Berikutnya Trump di Fed?

marsbit2j yang lalu

Trading

Spot
Futures

Artikel Populer

Cara Membeli RESOLV

Selamat datang di HTX.com! Kami telah membuat pembelian Resolv (RESOLV) menjadi mudah dan nyaman. Ikuti panduan langkah demi langkah kami untuk memulai perjalanan kripto Anda.Langkah 1: Buat Akun HTX AndaGunakan alamat email atau nomor ponsel Anda untuk mendaftar akun gratis di HTX. Rasakan perjalanan pendaftaran yang mudah dan buka semua fitur.Dapatkan Akun SayaLangkah 2: Buka Beli Kripto, lalu Pilih Metode Pembayaran AndaKartu Kredit/Debit: Gunakan Visa atau Mastercard Anda untuk membeli Resolv (RESOLV) secara instan.Saldo: Gunakan dana dari saldo akun HTX Anda untuk melakukan trading dengan lancar.Pihak Ketiga: Kami telah menambahkan metode pembayaran populer seperti Google Pay dan Apple Pay untuk meningkatkan kenyamanan.P2P: Lakukan trading langsung dengan pengguna lain di HTX.Over-the-Counter (OTC): Kami menawarkan layanan yang dibuat khusus dan kurs yang kompetitif bagi para trader.Langkah 3: Simpan Resolv (RESOLV) AndaSetelah melakukan pembelian, simpan Resolv (RESOLV) di akun HTX Anda. Selain itu, Anda dapat mengirimkannya ke tempat lain melalui transfer blockchain atau menggunakannya untuk memperdagangkan mata uang kripto lainnya.Langkah 4: Lakukan trading Resolv (RESOLV)Lakukan trading Resolv (RESOLV) dengan mudah di pasar spot HTX. Cukup akses akun Anda, pilih pasangan perdagangan, jalankan trading, lalu pantau secara real-time. Kami menawarkan pengalaman yang ramah pengguna baik untuk pemula maupun trader berpengalaman.

417 Total TayanganDipublikasikan pada 2025.06.11Diperbarui pada 2025.06.11

Cara Membeli RESOLV

Diskusi

Selamat datang di Komunitas HTX. Di sini, Anda bisa terus mendapatkan informasi terbaru tentang perkembangan platform terkini dan mendapatkan akses ke wawasan pasar profesional. Pendapat pengguna mengenai harga RESOLV (RESOLV) disajikan di bawah ini.

活动图片

Kategori Populerright-arrow

Tag Populerright-arrow