Hacker Mints $80 M Unbacked Stablecoin on Resolv DeFi, Steals $24.5 M in ETH
What Happened – An attacker compromised a private signing key used by the Resolv DeFi platform, minted roughly $80 million of the USR stablecoin without collateral, and exchanged a portion for about 11,408 ETH (≈ $24.5 M). The hack caused USR to de‑peg from the U.S. dollar, dropping to ~ 26 ¢. Resolv has paused the application, is tracing the illicit tokens, and has offered a bounty for their return.
Why It Matters for TPRM –
- Private‑key management failures can translate into direct financial loss for downstream partners.
- Over‑reliance on off‑chain approvals without on‑chain limits creates a single point of failure.
- Even platforms with extensive audits can be compromised, highlighting the need for continuous monitoring.
Who Is Affected – FinTech/DeFi services, crypto‑asset custodians, institutional investors using USR, and any third‑party applications that integrate Resolv’s minting API.
Recommended Actions –
- Review any contracts or data flows that involve Resolv or similar stablecoin minting services.
- Verify that your own private‑key handling and multi‑sig processes meet defense‑in‑depth standards.
- Add on‑chain limits and real‑time anomaly detection for token creation to your risk controls.
Technical Notes – The breach stemmed from a stolen private key that authorized unlimited USR minting; no maximum cap was enforced in the minting contract. The attacker first deposited $100‑200 K USDC, then minted ~80 M USR and swapped it for ETH. Chainalysis labeled the failure “overly trusting off‑chain infrastructure.” Source: The Record