Resolv Labs Hack

In March 2026, Resolv Labs, issuer of the USR stablecoin, suffered the most consequential exploit of the quarter, about $25 million, when an attacker compromised the project’s AWS Key Management Service infrastructure. Analyses by Chainalysis and Halborn found the attacker used the stolen cloud keys to authorize the minting of roughly 80 million unauthorized USR from a collateral deposit of only about $100,000 to $200,000; the contract enforced a minimum output but had no maximum mint ratio, no on-chain oracle check, and no cap, so whatever the key holder signed was minted. The flood of unbacked tokens collapsed USR’s dollar peg to as low as $0.20 before a partial recovery near $0.56. The damage spread through what PeckShield termed shadow contagion: the USR crash created systemic bad debt across Morpho Blue, Euler, and Fluid, none of which were directly exploited, with Fluid/Instadapp alone absorbing over $10 million in bad debt and seeing about $300 million in single-day outflows. The case is a stark lesson in cloud-key custody, mint caps and oracle checks on stablecoin issuance, and the composability risk that lets one failure propagate across integrated protocols.