Resolv: The $25 Million Stablecoin That Minted Itself to Death

One compromised private key. 80 million unbacked stablecoins minted. $25 million drained. The code worked perfectly. The humans did not.

Resolv USR stablecoin exploit

On March 22, 2026, someone compromised a private key belonging to the Resolv DeFi protocol and used it to mint 80 million USR stablecoins out of thin air. No backing. No collateral. Just tokens that should not exist. They dumped them across decentralized exchanges and drained roughly $25 million in ETH before anyone could react. The USR stablecoin crashed 95%. The code worked exactly as intended. The problem was the key that controlled it.

Resolv's USR was supposed to be a collateralized stablecoin. The protocol held approximately $141 million in assets backing the tokens in circulation. The minting function was gated behind a privileged key - a single point of control that could authorize new token creation. The attacker got that key. At 2:21 AM, they started minting. By the time the team noticed, 80 million unbacked tokens were flooding the market.

The attacker converted the freshly minted USR to ETH through decentralized exchanges. The sell pressure cratered USR's price. Every DeFi protocol that accepted USR as collateral was suddenly holding a token worth a fraction of what it was 10 minutes earlier. The blast radius spread fast. Multiple platforms had to declare their exposure and reassure users.

Resolv halted operations immediately. Only $500,000 in redemptions had been processed before the pause, limiting the direct drain beyond the attacker's take. The team burned approximately 9 million of the tokens the attacker still held. But the damage was done.

This was not a smart contract exploit. The code did what it was supposed to do. The vulnerability was in the off-chain infrastructure - specifically, a single private key that controlled a critical protocol function. When that key was compromised, the attacker had the same permissions as the team. They just used them differently.

The Resolv hack fits a pattern that defined 2025 and is accelerating in 2026. Chainalysis and TRM Labs both documented a shift: attackers are moving away from code exploits and toward operational infrastructure. Keys, wallets, admin panels, CI pipelines. The human layer. DeFi protocol code is getting better. The people and systems around it are not keeping up.

Q1 2026 DeFi losses have already hit $137 million across 15 incidents. Step Finance lost $27.3 million. Truebit lost $26.2 million. Resolv joins the list at $25 million. For context, the entire first quarter of 2025 saw roughly $107 million in DeFi losses. The pace is accelerating.

The lesson from Resolv is the same lesson the industry has been refusing to learn for years. A stablecoin backed by $141 million in collateral is meaningless if one stolen key can print unlimited tokens. Security is not about the smart contract. It is about everything around it.