In brief
- DeFi platform Resolv Labs’ USR stablecoin depegged and crashed more than 70% following an exploit Sunday.
- An attacker exploited the USR stablecoin contract using a compromised key, and minted 80 million tokens.
- The hacker cashed out some $25 million through various DeFi protocols.
Resolv Labs’ USR stablecoin has depegged from the U.S. dollar and crashed more than 70% after an attacker exploited its contract to mint 80 million uncollateralized tokens.
According to a tweet from the DeFi platform, the attack leveraged a “compromised private key” to mint $80 million worth of uncollateralized USR. A post-mortem from blockchain forensics firm Chainalysis reported that the attacker then quickly converted the unbacked USR into a staked version, wstUSR, before swapping it into other stablecoins and then Ethereum.
In total, the attackers extracted roughly $25 million in value, Chainalysis noted. Following the exploit, USR lost its peg to the U.S. dollar, plunging by more than 74% according to CoinGecko, as the attacker moved to cash out the illegally minted tokens.
Resolv Labs stated that some $9 million in USR has been burned in order to “reduce the potential impact,” while the DeFi platform is “working with law enforcement and onchain analytics firms” to identify the hackers responsible and contain illicitly minted USR.
The firm paused all protocol functions in the wake of the exploit, and stated that it is preparing to enable redemptions for “pre-incident USR,” starting with allowlisted users.
According to analysis from data platform RootData, the attack method potentially involved “manipulated oracles, leaked off-chain signer keys” or other vulnerabilities in the minting mechanism. Chainalysis reported that the attack was enabled because minting approvals relied on an “off-chain service that used a privileged private key to sign off on how much USR could be created,” with the smart contract failing to impose any maximum limit on USR minting.
Crypto fund D2 Finance described the cash-out process as a “textbook DeFi hacking cash-out path,” with attackers sending USR in batches to multiple liquidity protocols while prioritizing large sell-offs.
This is the latest in a series of DeFi security incidents in recent months, including Solana protocol Step Finance’s decision to wind down weeks after suffering a $29 million hack, and an oracle error that left DeFi lender Moonwell with $1.8 million in bad debt.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Be the first to comment