Missing Mint Check Let an Attacker Print 25 Million Dollars From a 100K Deposit in the Resolv USR Exploit
A compromised signing key and zero on-chain validation between collateral and minted tokens crashed the USR stablecoin from one dollar to two cents
The root cause was devastatingly simple: zero on-chain validation between collateral deposited and tokens minted. The protocol's minting architecture used a two-step off-chain approval pattern where a user calls requestSwap to deposit USDC, then a privileged signer calls completeSwap to mint USR. Nothing in the smart contract verified that the minted amount corresponded to the deposited collateral.
Resolv was not a fringe project. At its peak, the protocol held over 500 million dollars in total value locked and had raised 10 million dollars from Coinbase Ventures, Maven 11, and Animoca Brands. It was integrated into Morpho, Aave, Euler, and Curve, giving it deep tentacles across DeFi lending and exchange infrastructure.
The protocol's TVL had already been haemorrhaging before the exploit, dropping from roughly 400 million dollars in early February to 100 million by mid-March, a 75 percent contraction in weeks.
Analysis
Why This Matters
The exploit demonstrates that even well-funded, deeply integrated DeFi protocols can have fundamental security flaws. A missing validation check, the most basic kind of bug, enabled a 25 million dollar theft.
Key Perspectives
Security researchers point to the off-chain approval pattern as inherently risky. When minting authority lives in a single signing key rather than on-chain logic, compromising that key compromises everything. The use of AWS KMS for key storage adds cloud infrastructure as an additional attack surface.
What to Watch
Whether Resolv can recover, whether integrated protocols like Aave and Curve suffered downstream effects, and whether this incident accelerates the push for mandatory on-chain validation in stablecoin minting.