Resolv Exploit: A Vault Curation Disaster

A deep-dive into the Resolv Labs USR exploit, how a single compromised key, missing on-chain guards, and miscalculated vault share prices combined to extract $25M from a $500M+ protocol.

Table of Contents

1. Exploit Summary
2. What Is Resolv?
3. Three Failures, One Catastrophe
4. The Primary Attack: Unlimited Minting
5. The Secondary Attack: Free Money Glitch
6. How It Spread Across DeFi
7. Summary
8. About Us
9. FAQ

Exploit Summary

• Date: March 22, 2026
• Protocol: Resolv Labs (USR)
• Extracted: ~$25M ETH
• Attack Type: Key Compromise + Vault Inflation
• Unbacked USR Minted: $80M
• Net Value Extracted: ~$25M
• USR Peg Drop: −74%
• Morpho Vaults Hit: 15+

What Is Resolv?

Resolv is a stablecoin protocol built around a delta-neutral strategy. Its core product, USR, is a dollar-pegged token backed by a mix of ETH, staked ETH (stETH), and Bitcoin, with perpetual futures positions layered on top to hedge out directional price exposure. Think of it as an on-chain version of a carry trade: long spot, short perps, dollar-stable.

Key Architecture Point

USR minting was a two-step process: a user deposits USDC, an off-chain service validates the request and signs a completion message, and the smart contract then mints USR upon receiving that signature. The off-chain service held a privileged role called SERVICE_ROLE.

Three Failures, One Catastrophe

The incident is often summarized as a "compromised private key," which is technically accurate but undersells the structural fragility that made key compromise so catastrophic. There were three distinct failures that had to align for this attack to work.

Failure #1: SERVICE_ROLE was a Single EOA

The role that could authorize unlimited USR minting was controlled by a single externally owned account, not a multisig, not a timelock. One compromised key = unlimited print access.

Failure #2: No On-Chain Mint Limits

The minting contract had no oracle checks, no amount validation, and no maximum mint cap. The contract would mint whatever the SERVICE_ROLE said to mint, no questions asked.

Failure #3: No Anomaly Guards

There was no on-chain circuit breaker that would pause minting if the ratio of USDC deposited to USR minted deviated beyond a threshold. The attacker deposited $100K and received 50M USR.

Consequence: 500× Mint Ratio

The attacker deposited ~100,000 USDC and received back ~50,000,000 USR, a 500:1 ratio that the entire system accepted without complaint, because nothing was coded to reject it.

The Primary Attack: Unlimited Minting

The main attack is relatively straightforward once you understand the architecture. The attacker compromised the SERVICE_ROLE private key, likely through a targeted infrastructure breach of the off-chain signing service. With that key in hand, they could complete any minting request they submitted.

Primary Attack Vector, Compromised SERVICE_ROLE

1. Acquire SERVICE_ROLE Private Key Attacker compromises off-chain infrastructure hosting the privileged signing key. Method: unknown, likely spear-phishing or server-side breach.
2. Submit Minting Request with Minimal Collateral Attacker deposits ~100,000 USDC as collateral, triggering a standard mint request in the protocol.
3. Sign Completion with Inflated Amount Using the stolen key, the attacker self-signs the completion of the mint for ~50,000,000 USR. The contract has no max-mint guard to reject this 500× ratio.
4. Convert USR → wstUSR → USDC → ETH Attacker converts unbacked USR into its staked form (wstUSR), then batches sell into stablecoin pools and ultimately swaps into ETH, classic cash-out path across multiple venues to reduce slippage.
5. Exit with ~$25M in ETH Total extraction: ~$23–25M in ETH. Remaining unbacked supply collapses USR peg to as low as $0.02 at panic peak.

// Pseudocode: what the minting contract looked like
function completeMint(
    address recipient,
    uint256 usdcDeposited,
    uint256 usrToMint,   // ← THIS PARAM WAS NEVER VALIDATED
    bytes   signature
) external {
    // Only check: is signature from SERVICE_ROLE?
    require(isValidServiceSignature(signature), "Bad sig");

    //  No check: usrToMint / usdcDeposited <= MAX_RATIO
    //  No check: usrToMint <= globalMintCap
    //  No oracle to verify fair exchange rate

    _mint(recipient, usrToMint); // prints whatever was requested
}

The Secondary Attack: Breaking Morphos Vault Architecture

The primary exploit drained ~$25M, but a second, more technically nuanced attack was run in parallel against lending vaults on Morpho and similar protocols. This one exploits how curated vaults price their internal market positions, and it works as long as there is a stale or hardcoded oracle for the collateral asset (in this case, USR or wstUSR).

The core insight: after the depeg, USR on the open market is worth $0.02. But certain Morpho markets still value USR collateral at $1.00, its pre-exploit oracle price. This creates a massive arbitrage between "real value" and "vault-perceived value."

Key Insight

The vault's share price formula adds up the value of its positions in each underlying market. If one market holds wstUSR collateral but prices it at $1 instead of $0.02, the vault thinks it has 50× more assets than it actually does. This inflated book value lets early withdrawers drain real assets from later withdrawers.

Secondary Attack Vector, Vault Share Price Inflation (Flashloan)

1. Flashloan a large amount of USDC No capital required. Attacker borrows e.g. 1,000,000 USDC via Balancer or Aave flashloan, repayable within the same transaction.
2. Deposit USDC into the target vault to receive shares Attacker deposits USDC into, e.g., a Gauntlet USDC Core vault on Morpho. They receive vault shares calculated at the current (inflated) vault NAV per share.
3. Deposit cheap USR into the vault's underlying USR/USDC market on behalf of the vault Attacker acquires depegged USR at market price (~$0.02) and deposits it as "supply" into the Morpho USR/USDC market that the vault is allocated to. This inflates the market's total supply balance and makes the vault believe its allocation there is worth more.
4. Borrow USDC from that market using undervalued USR as collateral Since the market's oracle still prices USR at $1, the attacker can borrow $0.80 of USDC per $0.02-worth of USR, a 40× leverage ratio versus real collateral value.
5. Vault now overestimates its share value The vault's NAV per share calculation sums its positions across markets. The USR market position is priced at oracle ($1) not reality ($0.02), so the vault believes each share is worth far more than it is. The "donated" USR shares appear as yield earned.
6. Withdraw USDC from vault by burning shares at inflated price Using the shares obtained in step 2 (priced at the now-inflated NAV), attacker redeems them for more USDC than they deposited, extracting real assets that belong to other depositors.
7. Repay flashloan, keep profit Flashloan repaid. Net result: attacker extracted real USDC from the vault by exploiting the gap between oracle-valued and market-valued USR. Repeated across multiple pools for ~100k+ in total.

// Conceptual pseudocode for the vault share inflation attack

async function attack() {
  // Step 1: Borrow capital, costs nothing upfront
  const flashAmount = 1_000_000 USDC;
  flashloan.borrow(flashAmount);

  // Step 2: Enter the vault legitimately
  const sharesReceived = vault.deposit(flashAmount);
  // shares priced at current (inflated) NAV per share

  // Step 3: Acquire cheap, depegged USR off the market
  const usrBought = dex.swap(USDC(10_000) → USR);
  // Buy $10,000 worth of USR at $0.02 = 500,000 USR tokens

  // Step 4: Deposit that USR into the underlying Morpho market
  // This inflates the market's total assets, boosting vault NAV
  morphoMarket.supplyCollateral(usrBought, onBehalfOf=vault);

  // Step 5: Borrow USDC against USR at oracle price ($1)
  // Oracle says 500k USR = $500k collateral → borrow up to $400k USDC
  // Reality: 500k USR worth $10k → this is 40× undercollateralized
  morphoMarket.borrow(USDC(400_000), collateral=usrBought);

  // Step 6: Vault now thinks its market allocation is worth more
  // (donated USR "yield" was included in NAV calc)
  const usdcOut = vault.redeem(sharesReceived);
  // usdcOut > flashAmount ← profit extracted from other depositors

  // Step 7: Repay flashloan
  flashloan.repay(flashAmount + fee);

  profit = usdcOut - flashAmount - fee;
}

Why This Extends to Morpho Forks

Any ERC-4626 style vault that (a) allocates to isolated markets with third-party oracles and (b) computes NAV per share by summing those market positions at oracle price is vulnerable to this pattern whenever an oracle depegs from reality. This includes Euler vaults, custom MetaMorpho deployments, and similar curator-model protocols.

How It Spread Across DeFi

The Resolv exploit is a textbook example of DeFi composability risk. USR wasn't siloed, it was integrated as collateral, yield source, and liquidity across a web of protocols. When USR depegged, every integration became a liability.

Protocol	Exposure Type	Impact	Status
Morpho (Gauntlet vaults)	wstUSR/USDC lending market	~$7.5M+ direct exposure; share inflation losses	Paused deposits
Euler Labs	RLP collateral market	Disabled RLP collateral function	Isolated
Fluid (Instadapp)	USR lending market	Bad debt; team took personal loans to cover 100%	Covered
Aave	Liquidity provider (not collateral)	None, collateral assets unaffected	Safe
Curve Finance	USR liquidity pools	Cascading liquidations; LP losses	Affected
Stream Finance	13.6M RLP on Morpho (~$17M)	Second major loss event after Nov 2025 incident	Affected

Perhaps most strikingly, Gauntlet USDC Core, one of Morpho's largest and most trusted "blue chip" yield vaults, had ~$4.95M allocated to a wstUSR/USDC market. Users who considered themselves in a conservative yield product were in fact exposed to tail risk from a delta-neutral stablecoin's off-chain signing service.

Summary

A single off-chain signing key with no on-chain checks was compromised, allowing $80M in unbacked USR to be minted for a ~$100K collateral deposit. The attacker extracted ~$25M by converting USR through wstUSR into ETH. Simultaneously, a second attacker (or the same one) exploited Morpho vault share pricing by depositing depegged USR as "yield" to inflate vault NAVs, then withdrawing real USDC against the phantom appreciation, a flashloan-based attack that works on any curator-model vault that trusts stale oracles for its NAV calculation.

The underlying collateral is safe. The architectural lesson is not new, off-chain signers controlling on-chain money supplies need on-chain constraints, but it will be paid in full once more.

About Us

At SC Audit Studio, we specialize in protocols security assessments. Our team of experts has worked with companies like Aave, 1Inch and several more to conduct security assessments. Partner with us to enhance your project's security and gain peace of mind.

Reach out to us for queries and security assessments!