Besides the Resolv Hack, This Type of DeFi Vulnerability Has Occurred Four Times Already
An attacker exploited a compromised off-chain signing key in the stablecoin protocol Resolv, minting 80 million USR tokens (pegged to USD) from a $100k–$200k USDC deposit within minutes. The stolen keys allowed unlimited minting due to a design flaw—lacking a minting cap—despite multiple audits. The attacker then converted USR to its wrapped version (wstUSR) and dumped it on DEXs, netting ~11,400 ETH (~$24M). This caused USR to depeg, trading at ~$0.25.
The depeg triggered a second-phase crisis: lending markets (including Morpho and Fluid/Instadapp) using wstUSR as collateral relied on hardcoded oracles that priced it near $1 instead of its real market value. Arbitrageurs bought cheap wstUSR, used it as overvalued collateral to borrow stablecoins, and amplified losses. Fluid absorbed over $10M in bad debt; Morpho had 15 vaults exposed.
This incident repeats a known DeFi pattern: similar oracle failures occurred with Usual Protocol (Jan 2025), Stream Finance (Nov 2025), and Moonwell (late 2025), where mispriced collateral led to massive bad debt. Critics highlight flawed incentives in the "curator" model (e.g., Gauntlet), where third-party vault managers prioritize high yields without adequate risk controls, and protocols outsource risk management without enforcing safeguards. The root cause is systemic: over-reliance on static oracles for volatile assets and insecure off-chain infrastructure.
marsbit03/24 12:10
