Resolv USR Stablecoin Minting Exploit (March 2026)

2023-01-01

Resolv Labs founded by Ivan Kozlov, Fedor Chmile, and Tim Shekikhachev in Dubai, UAE.

2024-12-26

SERVICE_ROLE assigned to externally owned account wallet 0x15CAd41e6BdCaDc7121ce65080489C92CF6de398 — the key later compromised in the attack.

2025-04-15

Resolv Labs raises $10M seed round led by Cyber.Fund and Maven11, with Coinbase Ventures and others participating.

2026-01-26

Alleged entry point: Interlock ransomware group begins exploiting CVE-2026-20131, a zero-day in Cisco Secure Firewall Management Center, 36 days before a patch is issued. Connection to Resolv breach is alleged, not officially confirmed.

2026-03-18

Cisco issues patch for CVE-2026-20131.

2026-03-22

At 01:50 UTC, attacker submits swap request transaction (0x590b5c66) depositing approximately 100,000 USDC into the USR Counter contract.

2026-03-22

At 02:21 UTC, attacker calls completeSwap() (tx: 0xfe37f25e) via compromised SERVICE_ROLE key, minting 50 million USR — a ~500x over-mint ratio on the USDC deposit.

2026-03-22

Within 17 minutes of the first mint, USR price on Curve Finance collapses from $1.00 to approximately $0.025.

2026-03-22

At approximately 04:21 UTC, second minting transaction (tx: 0x41b6b937) mints an additional 30 million USR. Total unbacked supply reaches approximately 80 million USR.

2026-03-22

Attacker converts minted USR to wstUSR, then to stablecoins, then to approximately 11,409 ETH (~$23-25 million) across decentralized exchanges and bridges.

2026-03-22

Resolv Labs pauses all protocol functions. Fluid/Instadapp records $300M+ in outflows and $10M+ in bad debt. Euler, Venus, Lista DAO, and Inverse Finance pause USR markets. 15 Morpho vaults affected. Gauntlet vaults lose approximately $6 million in USDC to secondary hardcoded-oracle exploit.

2026-03-23

Resolv Labs publicly confirms the exploit. Protocol burns approximately 9 million USR from the attacker's account. Protocol reports functional insolvency: $95M assets vs $173M liabilities.

2026-03-24

Resolv issues 72-hour ultimatum to the attacker requesting return of 90% of funds in exchange for 10% white-hat bounty. No attacker response or fund movement publicly reported.

2026-05-27

Resolv Foundation announces tiered compensation plan: 1:1 USDC for pre-incident USR/wstUSR holders; 1:0.5 USDC for post-incident holders; 0.71 USDC plus RESOLV tokens for RLP holders. Claims window runs May 26 to August 26, 2026.

2026-05-27

Resolv Labs reports over $77 million redeemed for allowlisted pre-exploit USR holders, representing more than 90% of that group, completing phase one of recovery. Vault Street institutional RWA product line announced.