Massive Token Exploit Causes Resolv Labs' USR Stablecoin to Lose Dollar Peg
The Resolv USR stablecoin has been compromised by a hacker who managed to create 80 million unbacked tokens, successfully extracting approximately $25 million from the protocol.
The dollar-pegged stablecoin associated with Resolv Labs has become unpegged from the US dollar following a security breach that enabled a malicious actor to exploit the token's smart contract and generate millions of unauthorized tokens.
On Sunday, Resolv Labs disclosed via X that its platform had suffered a security breach enabling a malicious actor to create 50 million unbacked Resolv USR (USR) tokens. "The team has currently paused all the protocol functions to prevent further malicious actions and is actively working on recovery," the company stated.
Prior to the official announcement on Sunday, the X account "yieldsandmore" had already alerted the platform that USR had experienced a significant price collapse after blockchain data revealed a malicious actor successfully minted 50 million USR tokens by depositing only $100,000 worth of the USDC stablecoin.
According to crypto security firm PeckShield, the malicious actor managed to create an additional 30 million USR tokens on top of the initial amount.
Crypto investment fund D2 Finance indicated that USR's smart contract had a critical flaw in its minting function. "Either the oracle was gamed, the off-chain signer was compromised, or the amount validation between request and completion is simply missing," the firm explained.
This security breach occurred following a significant decrease in cryptocurrency-related hacking incidents during February, when exploits resulted in $49 million in losses throughout the month, a stark contrast to the $385 million stolen in January, as hackers have been shifting their focus toward phishing scams rather than exploiting protocol vulnerabilities.
Attacker cashing out "at full speed" depegs USR
According to D2 Finance, the malicious actor rapidly transferred the 50 million USR tokens they had created to various cryptocurrency platforms, exchanging the tokens for USDC and USDt stablecoins before "aggressively" converting these holdings into Ether (ETH).
"The attacker's exit playbook is textbook DeFi hack cashout running at full speed," the firm stated.
D2 Finance further noted that USR was trading as low as 50 cents in certain transactions as available liquidity deteriorated and slippage increased across various platforms, with "multiple failed transactions visible on-chain showing the urgency."
According to the firm's calculations, the malicious actor successfully extracted approximately $25 million from the exploit during USR's depeg event.
According to CoinGecko data, USR is presently trading at approximately 87 cents, representing a roughly 13% deviation from the $1 peg the stablecoin is designed to maintain.
On Curve Finance, the token plummeted to an extreme low of 2.5 cents on a USR/USDC liquidity pool, which represents USR's highest-volume trading pool with $3.6 million in 24-hour trading activity, based on DEX Screener data.
The lowest point for USR on Curve occurred at 2:38 am UTC on Sunday, merely 17 minutes following the malicious actor's minting of $50 million worth of tokens. The trading pool has subsequently rebounded to trade at 84.5 cents.