Resolv Hack Exposes Web2 Risk in DeFi: The Summary

On March 22, 2026, the stablecoin protocol Resolv suffered a severe infrastructure attack after an attacker gained control of a privileged private key through its cloud environment. The hacker used that access to mint 80 million unbacked USR without valid collateral, causing a sharp de-peg and forcing the protocol to pause operations. Although Resolv had already gone through 18 audit rounds, the real failure point was not the audit count itself. Instead, it was the protocol’s heavy reliance on Web2 infrastructure, specifically AWS KMS, without sufficient on-chain risk controls to constrain privileged minting.

1. Context

Against the backdrop of Q1 2026, when multiple DeFi exploits had already caused more than $130 million in sector-wide losses, including incidents involving Step Finance and Truebit, Resolv became the next high-profile victim of a Web2 infrastructure compromise. More importantly, this case drew attention because it exposed a critical weakness in how modern DeFi protocols manage privileged keys and depend on off-chain services for core operations.

2. How Did Resolv Mint 80 Million Unbacked USR?

This is the most direct question users, builders, and auditors need to answer when assessing the incident.

Exploit Breakdown

1. AWS KMS compromiseThe attacker infiltrated Resolv’s cloud infrastructure and gained access to the privileged SERVICE_ROLE signing key stored in AWS Key Management Service (KMS). With control of that environment, the attacker was able to authorize minting operations using Resolv’s own privileged signing flow.
2. Unauthorized mintingThe attacker deposited around 200,000 USDC and then used the compromised key to call the completeSwap function. As a result, the system approved the minting of 80 million USR with no real backing. On-chain analysis identified two major mint transactions, one for 50 million USR and another for 30 million USR.
3. Asset extractionAfter minting the unbacked USR, the attacker moved the tokens into wstUSR to preserve liquidity and reduce immediate market pressure. From there, the funds were gradually swapped into other assets and eventually into ETH. The original incident summary notes that the realized loss from redemptions before the protocol halt was about $0.5 million, while later public reporting showed that the attacker ultimately extracted roughly $24–25 million in ETH.

Root Cause

• Off-chain access control failureThe private key was exposed through a targeted compromise of Resolv’s infrastructure and third-party network environment. In other words, the protocol’s off-chain trust layer became the single point of failure.
• Missing on-chain invariantsResolv’s smart contracts validated the signature itself, but they did not enforce a maximum mint cap or verify the on-chain collateral ratio before minting. Consequently, once the privileged signer was compromised, the contract still executed as designed, even though the output was economically invalid.

3. Structural Insight

The Audit Paradox

A protocol can complete 18 audit rounds and still fail if its architecture places blind trust in a single privileged entity. In practice, security audits often focus on contract code, while infrastructure-level operational risks, such as key management, signer control, and off-chain service dependencies, may receive less attention.

Contagion Risk Across DeFi

The Resolv exploit also triggered cross-protocol damage. Platforms such as Morpho and other integrated DeFi markets reportedly relied on a hardcoded 1:1 peg assumption for USR. Once USR de-pegged, users could buy discounted USR on the market and then use it as if it were still worth one dollar in lending systems, allowing them to drain real stablecoin liquidity from those pools. Consequently, the exploit expanded from a protocol-level breach into a broader DeFi composability problem.

Current Financial Position

According to Resolv Digital Assets Ltd. (RDAL), the protocol’s core collateral base was not directly compromised. The issue was isolated to the issuance mechanics rather than the underlying reserve assets. Based on the original incident update, the protocol still held approximately $141 million in assets.

4. Implications

For Builders

Builders need to implement defense-in-depth mechanisms rather than relying on off-chain signatures alone. Specifically, protocols should add on-chain mint caps, rate limiting, and real collateral verification at the contract level. Furthermore, emergency pause logic should be able to react to anomalous mint behavior in real time.

For Auditors

Auditors should expand their review scope beyond smart contracts and include key custody design, cloud privilege boundaries, off-chain signing workflows, and failure scenarios in which Web2 infrastructure is compromised. Otherwise, security reviews risk missing the most dangerous trust assumptions in the system.

For the Ecosystem

The wider ecosystem needs real-time monitoring solutions, such as Hexagate-style systems, that can detect abnormal mint events and automatically trigger circuit breakers before exploit proceeds spread across lending markets, DEX pools, and bridge routes. In contrast, delayed manual response leaves too much room for attackers to extract value within minutes.

5. Watchlist / Next Steps after the Resolv hack

Recovery Plan

Resolv burned 9 million USR shortly after the incident and then moved to blacklist and freeze a total of around 46 million USR/wstUSR, equivalent to roughly 57% of the 80 million illicitly minted supply. The remaining assets in the attacker’s wallet were expected to become effectively non-transferable or non-redeemable. At that point, circulating supply consisted of roughly 102 million legitimate pre-hack USR plus a portion of contaminated USR still mixed in the market.

Redemption Reopening

Starting on March 24, 2026, redemption was re-enabled for the allowlist, which covered holders from before the hack. After two days, more than $77 million had already been redeemed, representing around 90% of that group, which indicated that Phase 1 was nearly complete.

Next Phases

Resolv is now preparing for the most complex stage of the recovery process:

• resolving claims for users outside the allowlist
• addressing exposure across related DeFi protocols

This stage is especially difficult because legitimate USR and contaminated USR have already been mixed in secondary markets. Consequently, both technical and legal reconciliation become more challenging.

Negotiation With the Attacker

Resolv reportedly offered the attacker a settlement: keep 10%, or around $2.3–2.5 million, and return 90% of the ETH. The deadline was March 26, 2026, within 72 hours. However, the attacker rejected the offer and retained approximately 11,400 ETH, worth around $24–25 million at the time.

Measures After Negotiations Failed

Following the failed negotiations, the protocol proceeded with additional containment actions:

• activating an upgrade contract after the 72-hour timelock
• freezing and destroying around 46 million tokens
• fully preventing the attacker from moving the remaining affected assets

Legal and Tracing Efforts

Resolv has been working with law enforcement authorities and Chainalysis to trace the stolen funds. In parallel, investigators are monitoring flows through centralized exchanges and cross-chain bridges to identify opportunities to freeze or intercept assets.

Related Ecosystem Impact

The broader ecosystem has seen mixed outcomes:

• Lista DAO reportedly recovered $8.4 million in bad debt without causing losses for users
• kpk reportedly avoided losses thanks to effective emergency withdrawal and risk management systems

These cases highlight how strong protocol safeguards can materially reduce contagion impact during a market-wide stress event.

Closing Notes

• Secure infrastructure such as AWS KMS does not automatically mean a secure protocol if on-chain constraints are missing.
• Users are strongly advised not to trade USR or related tokens while recovery measures are still being implemented.
• Ultimately, this incident is a costly lesson in systemic risk when Web2 and Web3 intersect without cross-checking controls. In DeFi, the final line of defense must remain on-chain.

References

• Chainalysis: Lessons from the Resolv Hack
• Coin68: Resolv bị tấn công, hacker in trái phép 80 triệu USD stablecoin USR
• RDAL / Resolv official update

Author: Ngan Ha Nguyen, Security Research Team Leader of A-Star Group Compiled by Dieu Anh