DeFi protocol Resolv has recently fallen victim to a sophisticated exploit, resulting in the unauthorized minting of millions of its USR stablecoins and an estimated loss of $25 million. This incident underscores the persistent security challenges within the decentralized finance landscape, as a critical vulnerability allowed an attacker to severely de-peg the asset and drain significant value from the protocol.
The Exploit Unfolds
The attack targeted a critical flaw within Resolv's USR Counter smart contract. According to researchers at D2 Finance, the assailant initiated the exploit by depositing a modest 100,000 USDC through the requestSwap function. However, during the finalization stage of the exchange, specifically via the completeSwap function, the system erroneously issued an astounding 49.95 million USR stablecoins—a sum 500 times greater than the initial deposit. This massive, unwarranted issuance instantly caused the USR stablecoin to lose its vital peg to the US dollar, triggering widespread panic and a precipitous drop in its market value.
Technical Flaws and Financial Fallout
Analysts have highlighted several potential root causes for this critical system failure. These include possible price oracle manipulation, an offline validator compromise, or, most prominently, the absence of a crucial reconciliation algorithm within the smart contract designed to verify amounts between the request and finalization stages of a swap. Once the attacker obtained the newly minted USR tokens, they swiftly converted them into their wrapped version, wstUSR, and aggressively offloaded them on decentralized exchanges. This rapid sell-off quickly exhausted liquidity pools and led to high slippage, driving the USR price down to a mere $0.34. The stolen funds were subsequently moved across various blockchain networks using cross-chain bridges and swaps. Resolv Labs has confirmed the breach and is actively engaged in mitigating the aftermath and exploring avenues for fund recovery, although a detailed post-mortem report is still awaiting publication.
