Resolv Hack: How One Leaked Private Key Led to $23 Million in Unauthorized Minting
TechFlow Selected TechFlow Selected
Resolv Hack: How One Leaked Private Key Led to $23 Million in Unauthorized Minting
As DeFi systems grow increasingly complex and rely more heavily on external services, privileged keys, and cloud infrastructure.
Navigating Web3 tides with focused insightsAuthor: Chainalysis
Translation: AididiaoJP, Foresight News
On March 22, 2026, the Resolv DeFi protocol became the latest example illustrating how rapidly crises can unfold in DeFi when security assumptions fail. Within minutes, an attacker minted tens of millions of undercollateralized Resolv stablecoins (USR), extracting approximately $25 million in value—causing USR to sharply depeg and forcing the protocol to halt operations.
At first glance, this appears to be another smart contract vulnerability incident. But it is not. The code executed precisely as designed.
In reality, this was an incident caused by excessive trust in off-chain infrastructure. As DeFi systems grow increasingly complex—and rely more heavily on external services, privileged keys, and cloud infrastructure—their attack surface has expanded far beyond the blockchain itself.
This article reconstructs the incident and its impact, then explores a critical insight: When off-chain components are compromised, only real-time on-chain threat detection and response mechanisms can serve as the vital last line of defense—distinguishing between controllable incidents and exploits costing millions of dollars.
Incident Summary
The attacker first deposited a relatively small amount of funds (approximately $100,000–$200,000 in USDC) and interacted with Resolv’s USR stablecoin minting system. Under normal circumstances, users receive an equivalent amount of USR upon depositing USDC. In this case, however, the attacker successfully minted roughly 80 million USR tokens—far exceeding the amount reasonably justified by their deposit.
This occurred because the minting approval step relied on an off-chain service that used a privileged private key to authorize the quantity of USR minted. Crucially, the smart contract itself imposed no upper limit on minting volume—it merely validated the signature’s authenticity.
After minting the unbacked USR, the attacker quickly converted them into the staked version, wstUSR, then gradually exchanged those for other stablecoins, ultimately withdrawing ETH. By the time the attack concluded, the attacker had extracted approximately $25 million worth of ETH. The sudden flood of unbacked USR onto the market caused the token’s price to plummet roughly 80%.
Having established the outcome, we now analyze how design flaws in the minting mechanism enabled this attack.
Normal USR Minting Flow in Resolv
To understand the root cause of this attack, one must first grasp Resolv’s minting mechanism design.
When users wish to mint Resolv’s native token USR, they do not interact with a fully autonomous on-chain mechanism. Instead, minting proceeds through a two-step off-chain process:
requestSwap — Users deposit USDC into the USR Counter contract and initiate a minting request.
completeSwap — An off-chain service controlled by a privileged private key, designated SERVICE_ROLE, reviews the request and determines the final USR minting amount via a callback to the contract.
The contract only defines a minimum output amount for USR, but imposes no upper limit. There is no on-chain validation of the ratio between collateral deposited and USR minted; nor are price oracles, total supply caps, or maximum mint ratios integrated. In short, any quantity signed by that key is executable.
Attack Step-by-Step Breakdown
Step 1: Gaining Access to Resolv’s AWS KMS Environment
The attacker breached Resolv’s cloud infrastructure and gained access to its AWS Key Management Service (KMS) environment, where the protocol’s privileged signing key was stored. Once in control of the KMS environment, the attacker could use Resolv’s own minting key to authorize arbitrary minting operations.
Step 2: Minting USR Tokens
After obtaining the signing key, the attacker initiated two swap requests, each backed by a modest USDC deposit totaling approximately $100,000–$200,000 across multiple transactions. The attacker then invoked the completeSwap function using the SERVICE_ROLE key and specified inflated output amounts—authorizing the minting of tens of millions of USR while depositing only a small amount of USDC.
Two primary on-chain transactions were identified:
- A 50-million-USR minting transaction
- A 30-million-USR minting transaction
Together, these minted 80 million USR tokens—valued at approximately $25 million.
Step 3: Bypassing Liquidity Constraints via wstUSR
The attacker then converted USR into wstUSR. wstUSR is a derivative token representing shares in a staking pool, whose value does not maintain a fixed peg to USR. By converting funds into wstUSR, the attacker avoided directly impacting the USR market and instead shifted positions into a relatively illiquid yet more fungible asset form.
Step 4: Cashing Out and Exiting
Holding wstUSR, the attacker further exchanged it for stablecoins, then for ETH—leveraging multiple decentralized exchange liquidity pools and cross-chain bridges to maximize extraction and complicate fund tracing.
As of this writing, the attacker’s address still holds:
- Approximately 11,400 ETH (valued at ~$24 million)
- Approximately 20 million wstUSR (valued at ~$1.3 million at the post-depeg price)
Impact on USR Holders
This incident directly and severely impacted USR holders.
The newly minted 80 million unbacked USR tokens entered decentralized exchange liquidity pools. With supply surging, USR’s dollar peg collapsed rapidly—falling as low as $0.20 (an 80% drop), before recovering slightly to around $0.56 within hours.
Following the incident, Resolv Labs issued a statement pausing all protocol functionality to prevent further losses and launching an investigation into the breach. Given that the attacker continued attempting additional USR mints, the urgency of immediate action to contain losses was self-evident—underscoring the extreme importance of rapid response capabilities against such attacks.
Robust Security Philosophy Must Be Built on “Assume Breach”
Although Resolv implemented all standard security measures—including up to 18 security audits—the hack, at its core, tells a simple story: the attacker obtained the key, used it to mint assets illicitly, and cashed out before stakeholders detected the breach.
Yet at a deeper level, this incident reveals how DeFi protocols inherit the security assumptions—and inherent risks—of the off-chain infrastructure they depend on. The on-chain smart contracts executed exactly as designed, while the overall system architecture—and the compromised off-chain infrastructure—failed to meet corresponding security standards.
With exploit windows often measured in minutes—and with no time for reactive measures once losses manifest—real-time monitoring and automated response mechanisms are no longer optional enhancements. They are essential safeguards.
Hexagate Prevention Case Study
The Resolv hack vividly illustrates the precise scenario for which real-time on-chain monitoring mechanisms like Chainalysis Hexagate are designed. Had Hexagate been deployed, the following two detection approaches could have prevented or mitigated the attack:
Solution 1: Monitoring for Anomalous Minting Events
By configuring monitoring systems like Hexagate to observe calls to the completeSwap function, operators could flag cases where the quantity of USR minted bears no reasonable proportion to the collateral deposited.
For instance, authorizing 50 million USR to be minted against a $100,000 USDC deposit represents an extreme anomaly—far outside any legitimate user’s operational range. Setting an alert rule—for example, triggering when the minting ratio exceeds normal values by 1.5×—would have flagged both major transactions immediately.
Hexagate’s customizable monitoring could have triggered automated responses upon detecting anomalous behavior exploiting Resolv’s minting logic.
Solution 2: Integrating GateSigner with Custom Logic to Control Critical Contract Events
The attacker had to execute both requestSwap and completeSwap sequentially—each step generating on-chain events. By combining Hexagate’s GateSigner functionality with contract event monitoring, operators could have configured automatic contract pausing upon detection of anomalous Mint events—blocking the 80 million USR from entering public markets before any funds were withdrawn.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
Chainalysis
