DeFi project teams cannot assume that modules they control are necessarily secure.
Written by Eric, Foresight News
Around 10:21 AM Beijing time today, Resolv Labs, which issues the stablecoin USR using a Delta-neutral strategy, was hacked. An address starting with 0x04A2 minted 50 million USR from the Resolv Labs protocol using 100,000 USDC.
Following the exposure of the incident, USR immediately fell to around $0.25, before recovering to around $0.80 at the time of writing. The price of RESOLV token also briefly fell by nearly 10%.
The hackers then used the same method to mint 30 million USR with 100,000 USDC. As USR became significantly depegged, arbitrageurs acted quickly, and many lending markets on Morpho that supported USR, wstUSR, and other collateral were almost completely depleted. Lista DAO on BNB Chain also suspended new loan requests.
These lending protocols aren't the only ones affected. The Resolv Labs protocol also allows users to mint RLP tokens, which offer greater price volatility and higher returns, but also entitle them to liability for losses incurred by the protocol. Currently, there are nearly 30 million RLP tokens in circulation, with Stream Finance holding over 13 million, representing a net risk exposure of approximately $17 million.
That's right, Stream Finance, which previously suffered a major setback due to xUSD, may be about to be hit again.
As of this writing, the hacker has converted USR into USDC and USDT and continues to buy Ethereum, having already purchased over 10,000 coins. Using 200,000 USDC, the hacker has extracted over $20 million in assets, finding their "100x coin" during the bear market.
Once again, a loophole was exploited due to "lack of rigor".
The sharp drop on October 11 last year caused many stablecoins issued using Delta-neutral strategies to suffer collateral losses due to ADL (automatic deleveraging). Some projects that used Altcoin as their asset class suffered even greater losses or even ran away with the money (see "After xUSD, the USDX pool seems to have dried up too" ).
Resolv Labs, which was attacked this time, also used a similar mechanism to issue USR. The project announced in April 2025 that it had completed a $10 million seed round led by Cyber.Fund and Maven11, with Coinbase Ventures participating, and launched its token RESOLV in late May and early June.
However, the reason Resolv Labs was attacked was not due to extreme market conditions, but rather because the mechanism for minting USR was "not rigorous enough".
No security company or official body has yet analyzed the cause of this hacking incident. DeFi community member YAM's preliminary analysis suggests the attack was likely caused by hackers gaining control of the SERVICE_ROLE function, which is used in the protocol backend to provide parameters to the minting contract.
According to Grok's analysis, when a user mints USR, they initiate a request on-chain and call the contract's requestMint function, with parameters including:
_depositTokenAddress: The address where the token is deposited;
_amount: The amount to be stored;
_minMintAmount: Minimum expected amount of USR received (anti-slip point).
Afterwards, the user deposits USDC or USDT into the contract. The project's backend SERVICE_ROLE monitors the request, uses the Pyth oracle to check the value of the deposited asset, and then calls the completeMint or completeSwap function to determine the actual amount of USR minted.
The problem lies in the fact that the minting contract completely trusts the _mintAmount provided by SERVICE_ROLE, assuming that the number has been verified off-chain by Pyth. Therefore, it does not set an upper limit or verify it with an on-chain oracle, and directly executes mint(_mintAmount).
Based on this, YAM suspects that the hacker took control of SERVICE_ROLE, which should have been controlled by the project team (possibly due to an internal oracle malfunction, insider theft, or key theft), and directly set _mintAmount to 50 million during minting, thus achieving an attack that minted 50 million USR with 100,000 USDC.
Ultimately, Grok concludes that Resolv did not consider the possibility that the address (or contract) used to receive user minting requests could be controlled by hackers when designing the protocol. When the request to mint USR was submitted to the contract that ultimately minted USR, no maximum minting amount was set, and the minting contract did not use an on-chain oracle for secondary verification. Instead, it directly trusted all the parameters provided by SERVICE_ROLE.
Prevention was also inadequate
Besides speculating on the reasons for the hack, YAM also pointed out the project team's lack of preparedness in dealing with the crisis.
YAM stated on X that Resolv Labs only suspended the protocol three hours after the initial hack, with approximately one hour of that delay stemming from collecting the four signatures required for multi-signature transactions. YAM believes that emergency suspensions should require only one signature, and that this authority should be allocated to team members or trusted external operators whenever possible. This would increase awareness of on-chain anomalies, improve the likelihood of rapid suspensions, and better cover different time zones.
While the suggestion of suspending a protocol with only a single signature is somewhat radical, requiring multiple signatures across different time zones to suspend a protocol could indeed cause significant delays in emergency situations. Introducing a trusted third party that continuously monitors on-chain behavior, or using monitoring tools with emergency suspension permissions, are lessons learned from this incident.
Hacker attacks on DeFi protocols have long been limited to contract vulnerabilities. The Resolv Labs incident serves as a warning to project teams: the assumption regarding protocol security should be that no part of the protocol can be trusted, and all links involving parameters must undergo at least two verifications, even the backend operated by the project team itself.
