Key Insights:
- The Resolv Labs exploit gave an attacker 72 hours to refund money and retain 10% per the terms.
- Attacker minted 80 million USR and exchanged assets and proceeds of more than 11000 ETH.
- USR depeg reactions on related platforms triggered liquidations and outflows on DeFi.
Resolv Labs exploit developments moved into a recovery phase after the stablecoin protocol sent an onchain ultimatum to the attacker behind Sunday’s $25 million breach, offering a conditional settlement tied to the return of most of the stolen assets.
Ultimatum Gives 72-Hour Settlement and Disclosure Alternative.
In an onchain message published Monday, Resolv said the exploiter could keep 10% of the funds if 90% was transferred to a designated recovery address within 72 hours. The proposal covered roughly $22.5 million in ether, along with any remaining USR tokens still under the attacker’s control.
However, Resolv also outlined a separate disclosure route for anyone seeking to present the incident as security research, while warning that failure to comply by Thursday would trigger a broader enforcement and tracing effort involving exchanges, infrastructure providers, analytics firms, law enforcement, and legal action.
The incident began early Sunday, March 22, when an attacker exploited a vulnerability in the protocol’s minting system to create tens of millions of unbacked USR, then converted the proceeds into ether.
Resolv Labs Exploit Terms Include Settlement and Disclosure Option
The onchain message laid out two paths. Under the first, the attacker would return 90% of the converted assets within the stated deadline and keep the remaining 10%. Resolv identified a recovery address for the transfer and specified that the returned assets should include ether and any USR still held by the attacker.
The second path focused on disclosure. Resolv said the attacker could demonstrate good-faith security research by contacting the protocol via email rather than proceeding under the settlement structure.
Nevertheless, these steps would include coordination with centralized exchanges, bridges, and infrastructure providers to freeze or restrict assets linked to the exploit. The protocol also said it would publicly disclose wallet addresses and transaction traces, engage blockchain analytics firms, involve law enforcement, and pursue legal claims to recover damages.
How the Breach Was Executed on March 22
The Resolv Labs exploit began when the attacker deposited about $200,000 in USDC into Resolv’s USR Counter contract. In return, the wallet received 50 million USR. A second transaction minted another 30 million USR, bringing the total created during the exploit to 80 million USR.
Source: etherscan.io
After minting the tokens, the attacker swapped USR for stablecoins on decentralized exchanges. The proceeds were later converted into 11,409 ETH, according to the onchain data cited in the incident summary.
Resolv said in its communication that the exploit was enabled by a protocol vulnerability but carried out with clear malicious intent. The protocol added that the attack generated unbacked tokens, a factor it said could affect the secondary market’s stability.
Technical Findings Point to Single-Account Mint Authority
Analysts who reviewed the breach said the attack originated from a privileged minting role controlled by a single externally owned account. According to the findings provided, that role did not have a maximum mint cap, oracle checks, or multi-signature authorization.
Those missing controls allowed the attacker to mint large volumes of USR without the additional safeguards that might have blocked or limited the transactions. The exploit, therefore, centered on the protocol’s internal permission structure rather than a broader market event.
Additionally, Resolv Digital Assets Ltd. said it is in contact with all allowlisted users who held USR at the time of the incident. The company added that redemptions for pre-incident USR have now been enabled for that group.
The protocol said further updates for other users would follow. No additional timetable was included in the information provided, but the communication indicated that user-specific handling was already underway for the allowlisted group.
DeFi Fallout Included Liquidations, Outflows, and Depeg Concerns
Beyond the direct loss, the Resolv Labs exploit led to market effects across connected DeFi platforms. Pearl said the USR depeg had “opened a Pandora’s box” and reported that the event triggered about $180 million in liquidations on lending protocol Morpho. He also said lending and liquidity platform Fluid saw around $334 million in outflows.
Pearl described the broader spillover as limited overall, while also saying the event had unsettled stablecoin platforms. According to his remarks, many stablecoin issuers had reacted with concern after the exploit. He also stated that, as DeFi increasingly ties into stablecoins, a major failure at the stablecoin layer can have consequences beyond a single protocol.
The incident also brought back memories of the Terra ecosystem collapse in 2022. The information provided linked the USR event to industry memories of Terra USD’s death spiral, which erased tens of billions of dollars in value and reshaped how stablecoin risks were viewed.
