A stablecoin tied to the crypto project Resolv Labs has lost its peg to the US dollar after an attacker was able to exploit the token’s contract to create millions of tokens for themselves.
Resolv Labs posted to X on Sunday that it had experienced an exploit that allowed an attacker to mint 50 million unbacked Resolv USR (USR). “The team has currently paused all the protocol functions to prevent further malicious actions and is actively working on recovery,” it added.
The X account “yieldsandmore” had posted to the platform earlier on Sunday that USR had crashed after on-chain data showed an attacker was able to mint 50 million USR by depositing $100,000 worth of the stablecoin USDC (USDC).
The attacker was also able to mint an additional 30 million USR tokens, according to the crypto security company PeckShield.
The crypto fund D2 Finance said that the minting function on USR’s contract was somehow broken. “Either the oracle was gamed, the off-chain signer was compromised, or the amount validation between request and completion is simply missing,” it added.
The exploit comes after crypto-related hacks declined sharply in February, with $49 million lost to exploits over the month, compared to $385 million in January, with attackers increasingly preferring phishing scams over protocol exploits.
Attacker cashing out “at full speed” depegs USR
D2 Finance said the attacker quickly moved the 50 million USR they minted to multiple crypto protocols, swapping the tokens for the stablecoins USDC and USDt (USDT) before “aggressively” converting them to Ether (ETH).
“The attacker’s exit playbook is textbook DeFi hack cashout running at full speed,” it said.
D2 Finance added that USR was selling as low as 50 cents on some trades as liquidity and slippage worsened across protocols, with “multiple failed transactions visible on-chain showing the urgency.”
The firm estimated that the attacker was able to extract around $25 million from the attack amid USR’s depeg.
Related: Google Threat Intel flags ‘Ghostblade’ crypto-stealing malware
USR is currently trading at around 87 cents, around 13% off from the $1 peg the token aims to maintain, according to CoinGecko.
The token had crashed to a low of 2.5 cents on a USR/USDC pool on the protocol Curve Finance, USR’s most liquid pool with a 24-hour volume of $3.6 million, per DEX Screener.
USR hit its bottom on Curve at 2:38 am UTC on Sunday, just 17 minutes after the attacker minted $50 million worth of the token. The pool has since recovered to trade at 84.5 cents.
Magazine: Meet the onchain crypto detectives fighting crime better than the cops
Be the first to comment