Decentralized finance platform Resolv said a recent cyberattack allowed a threat actor to compromise the company’s infrastructure and illicitly create $80 million worth of its USR stablecoin. USR is pegged to the U.S. dollar but plummeted in value on Saturday when the hacker created the uncollateralized coins and traded them for about 11,408 ETH, which is worth about $24.5 million. The company published a statement confirming the incident. USR was depegged from the U.S. dollar after the incident and is now worth about 26 cents.
Earlier today, a malicious actor gained unauthorized access to Resolv infrastructure through a compromised private key, resulting in the minting of approximately $80 million of uncollateralized USR. The company said it is tracing the coins and trying to contain the spread of the illicitly minted USR. In a message to the attacker on the blockchain, Resolv offered the person 10% of the $24.5 million in ETH if they returned the rest and ceased all further activity with the exploited funds. While this incident involved a vulnerability, the exploit was executed with clear malicious intent resulting in the creation of unbacked assets and potential secondary market impact, they wrote.
They asked the person to transfer all remaining USR to them within 72 hours. Resolv threatened to coordinate with centralized exchanges to restrict or freeze the illicit assets. They also threatened to contact law enforcement and blockchain analytics firms as well as pursue legal action. Blockchain security company Chainalysis published its own post mortem explaining the incident.
The company called the situation a “case of overly trusting off-chain infrastructure.” The attacker started by depositing a relatively small amount (around $100K–$200K in USDC) and used it to interact with Resolv’s USR stablecoin minting system. Normally, users deposit USDC and receive an equivalent amount of USR in return. However, in this case, the attacker was able to mint around 80 million USR tokens, far beyond what their deposit should have allowed.
This was possible, according to Chainalysis, because minting approvals depend on another service that relies on a private key signing off on how much USR could be created. Once this was stolen, the company’s system did not enforce a maximum limit on minting. On Monday afternoon, Resolv said that it is temporarily pausing its app to contain the impact of the incident. Once the protocol recovery plan is finalized and the application is safe to use again, all functionalities will be restored,” they said.
Resolv said it is now in contact with all verified users with USR holdings at the time of the incident and redemptions are now enabled. They urged customers not to trade USR or other Resolv tokens as they work to recover the illicitly made coins.
Leave a Reply