Besides the Resolv hack, this type of DeFi vulnerability has occurred four times already.
TechFlow Selected TechFlow Selected
Besides the Resolv hack, this type of DeFi vulnerability has occurred four times already.
17 minutes: 100,000 turned into 25 million.
Navigating Web3 tides with focused insightsAuthor: The Defiant
Translation & Compilation: TechFlow
TechFlow Insight: This article is not merely a post-mortem of the Resolv exploit—it highlights something far more troubling: the same attack pattern—hardcoding oracles to price de-pegged stablecoins at $1—has occurred at least four times over the past 14 months. The issue is not a technical bug, but a fundamental flaw in the curator model’s incentive structure: depositors bear the risk, while curators capture the rewards.
Full Text Below:
On a quiet Sunday morning, someone turned $100,000 into $25 million in roughly 17 minutes.
The target was Resolv, a yield-bearing stablecoin protocol. Before Resolv paused its contracts, its dollar-pegged stablecoin USR had plummeted to just a few cents. As of this writing, USR remains severely de-pegged, trading around $0.25—a drop of over 70% this week.
The shockwaves extended well beyond Resolv itself. Fluid/Instadapp absorbed over $10 million in bad debt in a single day and suffered over $300 million in net outflows—the largest single-day outflow in its history. Fifteen Morpho vaults were impacted. Euler, Venus, Lista DAO, and Inverse Finance all suspended USR-related markets.
The mechanism that enabled the exploit’s contagion—pricing de-pegged stablecoins at $1 in lending markets—is nothing new. It has occurred at least four times over the past 14 months.
How the Exploit Worked
USR minting follows a two-step off-chain process: users deposit USDC via the requestSwap function, and a privileged off-chain signing key, SERVICE_ROLE, finalizes the number of USR tokens minted via completeSwap. The contract enforces a minimum output threshold—but no upper limit. Whatever the key holder signs, the contract executes.
The attacker gained access to this key through Resolv’s AWS Key Management Service. They submitted two USDC deposits totaling approximately $100,000–$200,000, then used the stolen key to authorize the minting of 80 million USR in return. On-chain data shows two transactions minting 50 million and 30 million USR respectively—both completed within minutes.
“The Resolv USR exploit isn’t a bug—it’s a feature working exactly as designed. That’s precisely the problem,” said on-chain analyst Vadim (@zacodil).
The SERVICE_ROLE is a standard externally owned account (EOA), not a multisig. While admin keys are protected by multisig, the minting key is not.
“Resolv underwent 18 audits,” Vadim noted, “and one of the findings was literally titled ‘Missing Upper Limit.’”
The attacker exited methodically: first converting the newly minted USR into wstUSR (a staked wrapper) to dampen market impact, then swapping it for ETH via Curve, Uniswap, and KyberSwap. The attacker’s wallet now holds roughly 11,400 ETH (~$24 million). Meanwhile, the ETH and BTC collateral pools underpinning the system remained fully intact amid the stablecoin collapse.
How Contagion Spread
The Resolv exploit was effectively two events叠加: first, the minting vulnerability; second, cascading failure across lending markets.
When USR and wstUSR collapsed, every lending market accepting them as collateral faced the same issue: their oracles continued pricing wstUSR near $1.
Omer Goldberg, founder of risk analytics firm Chaos Labs, documented this mechanism. His core finding: “Oracles are hardcoded—so they never reprice. wstUSR was marked at $1.13, while trading at ~$0.63 on secondary markets.”
Traders bought wstUSR cheaply on open markets, then deposited it as collateral on Morpho or Fluid at the oracle price of $1.13 to borrow USDC and exit.
At Fluid, the team secured short-term loans to cover 100% of the bad debt and pledged full reimbursement for every user. At Morpho, co-founder Paul Frambot stated that roughly 15 vaults held significant exposure—all employing high-risk, long-tail collateral strategies.
Prominent curator Gauntlet claimed, “Exposure from several high-yield vaults is limited.”
D2 Finance directly refuted that claim, publishing on-chain data showing Gauntlet’s flagship “USDC Core Vault” allocated $4.95 million to the wstUSR/USDC market. Goldberg later noted Gauntlet’s vault accounted for 98% of lender liquidity in that market.
Frambot wrote in a response to The Defiant: “We’re continually exploring ways to represent various risks more comprehensively. But we don’t believe the core issue here is lack of labeling.”
Frambot added: “Morpho is oracle-agnostic—meaning it allows curators to choose any oracle they deem most suitable for a given market. Morpho is open, permissionless infrastructure designed to outsource risk management to curators.”
“It’s difficult to enforce objectively ‘correct’ guardrails across all scenarios,” Frambot said, “and imposing constraints at the protocol level also risks hindering legitimate strategies.”
While the underlying protocol delegates risk management to curators, some industry observers argue curators failed in their duty.
“I think the curator industry is fundamentally flawed because there’s no real curation happening,” Marc Zeller posted on X.
As of publication, Resolv, Gauntlet, and Fluid had not responded to The Defiant’s requests for comment.
A Recurring Failure Pattern
This is not a novel attack. In January 2025, Usual Protocol’s USD0++ was hardcoded at $1 by curator MEV Capital in a Morpho vault. Usual then abruptly adjusted its redemption floor to $0.87—without warning—locking lenders inside the MEV Capital vault, whose utilization spiked to 100%.
In November 2025, Stream Finance’s xUSD collapsed after curators had routed USDC deposits into leveraged loops backed by the synthetic stablecoin. When its oracle refused to update, an estimated $285 million to $700 million in assets across Morpho, Euler, and Silo became exposed. Moonwell suffered two oracle failures in October and November 2025, collectively generating over $5 million in bad debt.
What This Means for the Curator Model
Morpho’s architecture outsources all risk decisions to third-party “curators,” who build vaults, select collateral, set loan-to-value ratios, and choose oracles. The theory holds that professional institutions possess deeper expertise, competition yields better risk management, and protocols focus solely on rule enforcement.
Yet curators earn fees based on generated yield—creating strong incentives to accept higher-risk, higher-yield collateral (e.g., yield-bearing stablecoins). The problem arises when those stablecoins de-peg: losses fall on depositors—not curators. In the Resolv incident, some curators’ automated bots continued injecting funds into affected vaults for hours after the exploit began, deepening losses.
The rationale for hardcoding oracles for yield-bearing stablecoins is to prevent unnecessary liquidations triggered by short-term volatility. But such protection only works if the stablecoin remains stable.
Chainalysis, the on-chain analytics firm, concluded in its post-mortem that real-time on-chain detection capabilities are needed.
“The on-chain smart contracts operated perfectly. Clearly, the issue lies in broader system design and off-chain infrastructure,” the firm stated.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@DefiantNews
