Besides the Resolv Hack, This Type of DeFi Vulnerability Has Occurred Four Times Already

marsbit2026-03-24 tarihinde yayınlandı2026-03-24 tarihinde güncellendi

Özet

An attacker exploited a compromised off-chain signing key in the stablecoin protocol Resolv, minting 80 million USR tokens (pegged to USD) from a $100k–$200k USDC deposit within minutes. The stolen keys allowed unlimited minting due to a design flaw—lacking a minting cap—despite multiple audits. The attacker then converted USR to its wrapped version (wstUSR) and dumped it on DEXs, netting ~11,400 ETH (~$24M). This caused USR to depeg, trading at ~$0.25. The depeg triggered a second-phase crisis: lending markets (including Morpho and Fluid/Instadapp) using wstUSR as collateral relied on hardcoded oracles that priced it near $1 instead of its real market value. Arbitrageurs bought cheap wstUSR, used it as overvalued collateral to borrow stablecoins, and amplified losses. Fluid absorbed over $10M in bad debt; Morpho had 15 vaults exposed. This incident repeats a known DeFi pattern: similar oracle failures occurred with Usual Protocol (Jan 2025), Stream Finance (Nov 2025), and Moonwell (late 2025), where mispriced collateral led to massive bad debt. Critics highlight flawed incentives in the "curator" model (e.g., Gauntlet), where third-party vault managers prioritize high yields without adequate risk controls, and protocols outsource risk management without enforcing safeguards. The root cause is systemic: over-reliance on static oracles for volatile assets and insecure off-chain infrastructure.

On a quiet Sunday morning, someone turned $100,000 into $25 million in about 17 minutes.

The target was the yield-bearing stablecoin protocol Resolv. Before Resolv paused its contracts, its dollar-pegged stablecoin, USR, had fallen to a few cents. As of this writing, USR remains severely depegged, trading at around $0.25, down more than 70% this week.

The shockwaves extended far beyond Resolv itself. Fluid/Instadapp absorbed over $10 million in bad debt in a single day, experiencing a net outflow of over $300 million on the same day, a record single-day outflow in its history. 15 Morpho vaults were affected. Euler, Venus, Lista DAO, and Inverse Finance all subsequently suspended USR-related markets.

The mechanism that allowed this vulnerability's losses to spread—pricing a depegged stablecoin at $1 in lending markets—is not new. This has happened at least four times in the past 14 months.

How the Vulnerability Worked

USR minting followed a two-step off-chain process: Users deposited USDC via the `requestSwap` function, and a privileged off-chain signing key, `SERVICE_ROLE`, would then finalize the amount of USR to be issued via `completeSwap`.

The contract had a minimum output limit but no maximum limit. The contract executed whatever the key holder signed.

The attacker gained access to this key through Resolv's AWS Key Management Service. They submitted two USDC deposits totaling approximately $100,000 to $200,000, then used the stolen key to authorize the minting of 80 million USR in return. On-chain data shows two transactions of 50 million USR and 30 million USR, both completed within minutes.

"The Resolv USR exploit wasn't a bug—it was a feature operating as designed. That's the problem," said on-chain analyst Vadim (@zacodil).

The SERVICE_ROLE was a regular external owned address (EOA), not a multi-signature wallet. The admin key had multi-sig protection, but the minting key did not.

"Resolv underwent 18 audits," Vadim said, "One of the findings was literally named 'Missing Cap'."

The attacker exited: They first converted the minted USR to wstUSR (a staked wrapped version) to slow the market impact, then swapped it for ETH via Curve, Uniswap, and KyberSwap. The attacker's wallet holds approximately 11,400 ETH (around $24 million). The underlying ETH and BTC collateral pools supporting the entire system remained intact as the stablecoin collapsed.

How the Contagion Spread

The Resolv exploit was effectively two events stacked on top of each other. The first was the minting exploit, the second was the failure of connected lending markets.

When USR and wstUSR crashed, every lending market that accepted them as collateral faced the same problem: their oracles were still pricing wstUSR at close to $1.

Omer Goldberg, founder of risk analysis firm Chaos Labs, documented this mechanism. His key finding: "The oracle was hardcoded, so it never repriced. wstUSR was marked at $1.13, while trading on secondary markets for around $0.63."

Traders bought wstUSR cheaply on the open market, then used it as collateral on Morpho or Fluid at the oracle price of $1.13, borrowing USDC against it and walking away.

At Fluid, the team secured short-term loans to cover 100% of the bad debt and promised to make every user whole. At Morpho, co-founder Paul Frambot stated that about 15 vaults had significant exposure, all in high-risk, long-tail collateral strategies.

Prominent curator Gauntlet stated that "a few high-yield vaults had limited exposure."

But D2 Finance directly countered this, publishing on-chain data showing Gauntlet's flagship "USDC Core Vault" had allocated $4.95 million to the wstUSR/USDC market. Goldberg later stated that Gauntlet vaults constituted 98% of the lender liquidity in that market.

Frambot said in a written response to The Defiant: "We are constantly working on how to present various risks more comprehensively. However, we don't believe the core issue here is a lack of labeling."

Frambot added: "Morpho is oracle-agnostic, meaning it allows curators to choose any oracle they deem most suitable for a specific market. Morpho is open, permissionless infrastructure designed to outsource risk management to curators."

"It's difficult to enforce objectively 'correct' guardrails in all scenarios," Frambot said, "Imposing constraints at the protocol level also risks hindering legitimate strategies."

While the underlying protocol leaves risk management to curators, some in the industry believe the curators are not fulfilling their duty.

"I believe the curator industry is flawed by design because there is no real curation happening," Marc Zeller said on X.

At the time of publication, Resolv, Gauntlet, and Fluid had not responded to The Defiant's requests for comment.

A Recurring Failure Pattern

This is not a new type of attack. In January 2025, Usual Protocol's USD0++ was hardcoded at $1 by curator MEV Capital in a Morpho vault.

Usual then abruptly adjusted its redemption floor price to $0.87 without warning, locking lenders into the MEV Capital vault, whose utilization rate soared to 100%.

In November 2025, Stream Finance's xUSD collapsed after curators had routed USDC deposits into leverage loops backed by the synthetic stablecoin. When its oracle refused to update, an estimated $285 million to $700 million in assets were at risk on Morpho, Euler, and Silo.

Moonwell suffered two consecutive oracle failures in October and November 2025, resulting in over $5 million in bad debt combined.

What This Means for the Curator Model

Morpho's architecture outsources all risk decisions to third-party "curators," who build vaults, select collateral, set loan-to-value ratios, and choose oracles. The theory is that professional firms have deeper expertise, and competition leads to better risk management, with the protocol enforcing the rules.

But curators earn fees based on the yield generated, creating an incentive to accept higher-risk, higher-yielding collateral (like yield-bearing stablecoins). The problem is that when these stablecoins depeg, the losses are borne by the depositors, not the curators.

In the Resolv incident, some curators' automated bots continued pumping funds into the affected vaults for hours after the exploit, deepening the losses.

The reason for using hardcoded oracles for yield-bearing stablecoins is to prevent unnecessary liquidations triggered by short-term volatility. But this protection only works if the stablecoin remains stable.

On-chain analytics firm Chainalysis stated in a post-mortem that real-time on-chain detection capabilities are needed.

"The on-chain smart contracts were functioning perfectly. The issue clearly lay with the broader system design and off-chain infrastructure," the analytics firm said.

İlgili Sorular

QWhat was the core mechanism that allowed the Resolv exploit to cause widespread contagion across multiple DeFi lending markets?

AThe core mechanism was that the oracles in the lending markets continued to price the depegged stablecoin, wstUSR, at or near its intended $1 peg value, even after it had collapsed in value on the open market. This allowed attackers to buy the cheap stablecoin and use it as overvalued collateral to borrow other assets.

QHow did the attacker initially obtain the ability to mint a massive amount of USR tokens?

AThe attacker gained access to the `SERVICE_ROLE` signing key, which was an external private key (not a multi-sig) used to authorize the `completeSwap` function. This access was obtained through a compromise of Resolv's AWS Key Management Service.

QAccording to the article, this type of vulnerability has occurred at least four times in the past 14 months. Name one other protocols mentioned that suffered from a similar oracle pricing failure.

AThe article mentions that a similar failure occurred with Usual Protocol's USD0++ in January 2025 and with Stream Finance's xUSD in November 2025.

QWhat is the fundamental criticism of the 'curator model' used by protocols like Morpho, as highlighted by the Resolv incident?

AThe fundamental criticism is that the incentives for curators are misaligned. Curators earn fees based on the yield their vaults generate, which incentivizes them to accept higher-risk, higher-yielding collateral (like yield-bearing stablecoins). However, when those assets depeg and cause losses, the losses are borne by the depositors/lenders, not the curators.

QWhat did the post-incident analysis from Chainalysis identify as the root of the problem, rather than a smart contract bug?

AChainalysis stated that the problem was not a smart contract bug, as the contracts were 'functioning exactly as designed.' They identified the root of the problem as 'broader system design and off-chain infrastructure.'

İlgili Okumalar

If You’re Waiting For The Bitcoin Bottom, This Pundit Says You Should Be Looking At This Quarter

Bitcoin is currently testing the $60,000 support level, with market sentiment in "extreme fear." Crypto analyst Ardi points to a historical pattern where Bitcoin has bottomed in the fourth quarter during previous bear market cycles (e.g., November 2014, December 2018, November 2022). Given that it's only the second quarter of 2026, this suggests the current correction may not yet be over. The current correction is 245 days old, shorter than previous cycles. Other analysts like Benjamin Cowen, Ali Martinez, and CryptoQuant also align on a late 2026 bottom (around October-December), citing cycle durations and technical indicators. BTC is currently trading near $63,000, down over 6% in 24 hours and at risk of breaking below $60,000 due to ongoing ETF outflows.

bitcoinist3 dk önce

If You’re Waiting For The Bitcoin Bottom, This Pundit Says You Should Be Looking At This Quarter

bitcoinist3 dk önce

Should You Buy SpaceX Stock at $1.7 Trillion? Here's What the Market Is Worried About

SpaceX is preparing for a massive IPO aiming to raise around $75 billion at a valuation of approximately $1.75 trillion. While its achievements in reusable rockets and the profitable Starlink satellite internet service are clear, the market is concerned about the aggressive valuation. Key issues include: the current $1.75 trillion valuation, which is about 94 times 2025 revenue, seems to price in not just existing businesses but also unproven future ventures like AI infrastructure and orbital data centers. Financially, while Starlink is profitable, the AI division, bolstered by the acquisition of xAI, is incurring massive losses and consuming the majority of capital expenditures. This acquisition also introduced complex related-party financing arrangements and debt onto SpaceX's balance sheet. Furthermore, corporate governance poses a challenge. SpaceX's dual-class share structure ensures founder Elon Musk retains absolute control, limiting ordinary shareholders' influence over high-risk, long-term strategic decisions. The future success of ambitious projects like the Starship rocket—critical for lowering costs and enabling new services—remains a significant variable for the valuation. In summary, the market's apprehension (FUD) centers not on doubting SpaceX's past technological triumphs but on questioning how much premium public investors should pay for a future that combines proven profits with highly speculative and capital-intensive new ventures, all under a governance structure that offers limited shareholder oversight.

marsbit13 dk önce

Should You Buy SpaceX Stock at $1.7 Trillion? Here's What the Market Is Worried About

marsbit13 dk önce

Breaking the DeFi Cascading Liquidation Curse: Vitalik Proposes a New Solution

Vitalik Buterin has proposed a new DeFi design to eliminate the automatic liquidation mechanism that causes market instability during sharp downturns. The current system, used by protocols like Aave, triggers forced sales when collateral value falls below a threshold, often exacerbating price drops and creating systemic selling pressure. Buterin's alternative model is based on splitting an asset like ETH into two synthetic option-like tokens, P and N, pegged to a price index. Their combined value always equals one ETH. Instead of sudden liquidation, a position's value gradually drifts from its target peg if the market moves. Users must proactively rebalance their holdings to maintain their desired exposure, transferring the management burden from the protocol to the user or automated tools. A key advantage is the reduced reliance on real-time oracles. Pricing decisions are deferred until contract expiry, allowing for more robust, fault-tolerant oracle designs. This removes a clear liquidation threshold that speculators can target for manipulation or MEV extraction. However, significant challenges remain. Frequent rebalancing could incur high slippage and transaction costs, necessitating new liquidity provider models. The design is better suited for hedging instruments than for stablecoins requiring a rigid 1:1 peg. While not an immediate replacement for existing systems, the proposal challenges the foundational assumption that instantaneous forced liquidation is an unavoidable necessity in DeFi, opening the door for fundamentally different risk management architectures.

marsbit18 dk önce

Breaking the DeFi Cascading Liquidation Curse: Vitalik Proposes a New Solution

marsbit18 dk önce

The End of Single-Factor Cryptography

The article "The End of Single-Factor Crypto" posits a fundamental shift in the cryptocurrency ecosystem. It argues the era where crypto asset valuations were predominantly driven by, and correlated with, Bitcoin's price is ending. The space is bifurcating into two distinct economies: endogenous and exogenous. The endogenous economy represents traditional crypto, where token and project values are directly tied to crypto market prices. The emerging exogenous economy comprises projects and businesses that may utilize blockchain technology or tokens but derive their fundamental value from external, non-crypto factors like consumer demand, subscription revenue, or real-world utility. Examples include AI inference platforms like Venice, fintech lenders using blockchain for efficiency, and stablecoin/payment infrastructure companies acquired by giants like Mastercard and Stripe. This shift means investment analysis must change. For exogenous assets, evaluating traditional business fundamentals—such as revenue streams, unit economics, and competitive moats—becomes more critical than tracking Bitcoin charts. While endogenous assets like Bitcoin remain relevant, the growth of the exogenous category is driven by measurable demand independent of crypto price cycles, paving the way for a new, more diversified market phase. Consequently, crypto is evolving from a single-factor, reflexive asset class into a multifaceted ecosystem with varied drivers and investment theses.

marsbit18 dk önce

marsbit18 dk önce

Morning Post | Bitmine Plans to Raise $300 Million Through Preferred Stock Issuance; Polymarket Accuses Kalshi of Commercial Espionage

ChainCatcher's Daily Crypto Brief: Key developments from the past 24 hours include significant funding moves, regulatory actions, and market predictions. Bitmine announced a $300 million preferred stock fundraising. Polymarket accused rival prediction platform Kalshi of corporate espionage, citing numerous suspicious coincidences in product launches, a claim Kalshi strongly denied. The U.S. Department of Justice, in a joint "Disruption Week" anti-fraud operation with companies like Coinbase and Meta, froze over $3.8 million in cryptocurrency linked to scams. In infrastructure news, Macau completed its integration with the multi-central bank digital currency bridge, mBridge, aiming to build efficient cross-border payment channels. Cosmos Labs acquired the block explorer Mintscan. Market-wise, Geoffrey Kendrick, Standard Chartered's Head of Digital Assets Research, stated Bitcoin is nearing a bottom around $63,000, maintaining a year-end target of $100,000. He noted stability in U.S. spot Bitcoin ETF holdings. Ahead of SpaceX's anticipated IPO, internal insiders at Rocket Lab (RKLB) sold over $18.41 million in stock. In tokenization, Goldman Sachs partnered with Apex and Archax to launch a tokenized real estate fund. The meme token tracker GMGN reported the top trending tokens: on Ethereum, HEX, SHIB, LINK, PEPE, mUSD; on Solana, TROLL, swarms, WORLDCUP, neet, Buttcoin; and on Base, PEPE, toby, ODDS, ELSA, SKI.

链捕手32 dk önce

Morning Post | Bitmine Plans to Raise $300 Million Through Preferred Stock Issuance; Polymarket Accuses Kalshi of Commercial Espionage

链捕手32 dk önce

İşlemler

Spot

Futures

Popüler Makaleler

RESOLV Nasıl Satın Alınır

HTX.com’a hoş geldiniz! Resolv (RESOLV) satın alma işlemlerini basit ve kullanışlı bir hâle getirdik. Adım adım açıkladığımız rehberimizi takip ederek kripto yolculuğunuza başlayın. 1. Adım: HTX Hesabınızı OluşturunHTX'te ücretsiz bir hesap açmak için e-posta adresinizi veya telefon numaranızı kullanın. Sorunsuzca kaydolun ve tüm özelliklerin kilidini açın. Hesabımı Aç2. Adım: Kripto Satın Al Bölümüne Gidin ve Ödeme Yönteminizi SeçinKredi/Banka Kartı: Visa veya Mastercard'ınızı kullanarak anında Resolv (RESOLV) satın alın.Bakiye: Sorunsuz bir şekilde işlem yapmak için HTX hesap bakiyenizdeki fonları kullanın.Üçüncü Taraflar: Kullanımı kolaylaştırmak için Google Pay ve Apple Pay gibi popüler ödeme yöntemlerini ekledik.P2P: HTX'teki diğer kullanıcılarla doğrudan işlem yapın.Borsa Dışı (OTC): Yatırımcılar için kişiye özel hizmetler ve rekabetçi döviz kurları sunuyoruz.3. Adım: Resolv (RESOLV) Varlıklarınızı SaklayınResolv (RESOLV) satın aldıktan sonra HTX hesabınızda saklayın. Alternatif olarak, blok zinciri transferi yoluyla başka bir yere gönderebilir veya diğer kripto para birimlerini takas etmek için kullanabilirsiniz.4. Adım: Resolv (RESOLV) Varlıklarınızla İşlem YapınHTX'in spot piyasasında Resolv (RESOLV) ile kolayca işlemler yapın.Hesabınıza erişin, işlem çiftinizi seçin, işlemlerinizi gerçekleştirin ve gerçek zamanlı olarak izleyin. Hem yeni başlayanlar hem de deneyimli yatırımcılar için kullanıcı dostu bir deneyim sunuyoruz.

276 Toplam GörüntülenmeYayınlanma 2025.06.11Güncellenme 2026.06.02

Tartışmalar

HTX Topluluğuna hoş geldiniz. Burada, en son platform gelişmeleri hakkında bilgi sahibi olabilir ve profesyonel piyasa görüşlerine erişebilirsiniz. Kullanıcıların RESOLV (RESOLV) fiyatı hakkındaki görüşleri aşağıda sunulmaktadır.