Verify a decision

{"actor":"system:backfill","investigation_id":"a09586e0-025f-4c89-9ab1-7c8b7a3de203","kind":"publish","page_slug":"resolv-labs","published_at":"2026-06-01T17:49:06.499Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Resolv Labs","sections":[{"content":"On March 22, 2026, at approximately 02:21 UTC, an attacker executed a multi-stage infrastructure compromise against Resolv Labs, resulting in the unauthorized minting of approximately 80 million USR tokens and the extraction of roughly $25 million in ETH. The attack vector originated from a third-party project where a Resolv contractor had previously contributed; when that third-party project was compromised, attackers obtained the contractor's GitHub credentials. These credentials were used to infiltrate Resolv's CI/CD pipeline and exfiltrate AWS cloud infrastructure credentials, ultimately granting the attacker signing authority over the protocol's privileged SERVICE_ROLE minting key. Using the compromised key, the attacker deposited approximately $100,000–$300,000 in USDC but authorized the minting of 50 million USR in the first transaction and 30 million USR in a second transaction at 03:41 UTC, representing an effective collateralization ratio of approximately 0.4%. The protocol's on-chain contracts contained no maximum mint limits, no oracle price checks, and no collateral proportionality safeguards — all validation was delegated entirely to off-chain infrastructure. The attacker converted minted USR to wrapped staked USR (wstUSR) to bypass immediate liquidity constraints, then rotated through multiple DEX pools to exit into ETH. The Resolv team began responding at approximately 04:21 UTC after a threat monitoring alert, and smart contracts were paused at 05:16 UTC, with compromised credentials revoked at 05:30 UTC. The protocol confirmed it engaged external forensic firms including Hypernative, Hexens, MixBytes, SEAL 911, Mandiant, and ZeroShadow. A post-mortem was published on April 4, 2026, acknowledging that over-broad contractor credentials had persisted after the engagement ended, that CI/CD workflow exploits for credential exfiltration were undetected, and that minting operations relied entirely on compromised off-chain controls with no independent on-chain limits.","heading":"March 2026 Security Exploit","severity":"critical","sources":[{"credibility":1,"name":"Resolv Postmortem: March 22, 2026 Incident (Official)","type":"official","url":"https://resolv.xyz/blog/resolv-postmortem-march-22-2026-incident"},{"credibility":1,"name":"Resolv stablecoin crashes 70% as attacker extracts $25 million in ETH — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/23/resolv-stablecoin-drops-70-after-usd80-million-exploit-after-attacker-mints-usr"},{"credibility":1,"name":"Resolv's USR stablecoin depegs after attacker mints 80 million unbacked tokens — The Block","type":"news_article","url":"https://www.theblock.co/post/394582/resolvs-usr-stablecoin-depegs-after-attacker-mints-80-million-unbacked-tokens-extracts-roughly-25-million"},{"credibility":2,"name":"The Resolv Hack: How One Compromised Key Printed $23 Million — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-resolv-hack/"},{"credibility":2,"name":"Resolv Labs $25M Exploit: Unchecked Mint (Explained) — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/resolv-labs-exploit-explained"},{"credibility":2,"name":"How $25 Million Disappeared in 17 Minutes: Code-Level Autopsy — CoinsBench","type":"research","url":"https://coinsbench.com/how-25-million-disappeared-in-17-minutes-a-code-level-autopsy-of-the-resolv-hack-5498785957f6"}]},{"content":"In the immediate aftermath of the March 22, 2026 exploit, USR depegged from its $1.00 target to approximately $0.025 within 17 minutes — a decline of approximately 97.5%. The price partially recovered as the protocol began emergency communications, but settled at approximately $0.27 by one week post-incident, representing a 73% loss from peg. In the aftermath, the protocol was reported to hold approximately $95 million in assets against $173 million in liabilities, leaving it functionally insolvent with an alleged undercollateralization gap exceeding $78 million. The protocol acknowledged effective insolvency and introduced a tiered compensation framework, with an announcement on or around May 27, 2026 outlining recovery terms for affected user categories. Approximately 46 million of the 80 million illicitly minted USR tokens were neutralized through direct burns and the deployment of on-chain blacklist functionality. Pre-hack USR holders were offered 1:1 redemption priority, with Resolv claiming most redemptions had been processed as of the post-mortem publication. The RESOLV governance token, which had a circulating supply of approximately 390 million against a maximum supply of one billion at the time of reporting, reflected market skepticism with a market capitalization of approximately $14.5 million — far below the fully diluted value — suggesting the market was pricing in either extreme dilution or incomplete recovery.","heading":"USR Stablecoin Depeg and Protocol Insolvency","severity":"critical","sources":[{"credibility":1,"name":"Resolv Postmortem: March 22, 2026 Incident (Official)","type":"official","url":"https://resolv.xyz/blog/resolv-postmortem-march-22-2026-incident"},{"credibility":1,"name":"Resolv stablecoin crashes 70% as attacker extracts $25 million in ETH — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/23/resolv-stablecoin-drops-70-after-usd80-million-exploit-after-attacker-mints-usr"},{"credibility":2,"name":"Resolv's $25M Flow: A $95M Asset Drain Through a $23M Extraction — Ainvest","type":"news_article","url":"https://www.ainvest.com/news/resolv-25m-flow-95m-asset-drain-23m-extraction-2603/"},{"credibility":2,"name":"Resolv Labs Start Recovery After $25M USR Stablecoin Exploit — DailyCoin","type":"news_article","url":"https://dailycoin.com/resolv-labs-usr-stablecoin-exploit-25m-depeg/"}]},{"content":"Resolv Labs conducted an extensive auditing program prior to the March 2026 exploit, engaging at least four reputable smart contract security firms: MixBytes, Pashov Audit Group, Sherlock, and Pessimistic Security. The audit timeline spans from May 2024 through early 2026, covering core token contracts, staking mechanisms, treasury connectors, request managers, and the TheCounter smart contract component. Despite this program — described by the protocol as comprising up to 14 or 18 individual audits depending on the source — none of the audits identified the architectural trust model flaw that enabled the exploit. As multiple post-incident analysts noted, traditional smart contract audits examine on-chain bytecode and Solidity logic against specifications, but do not audit the operational security of off-chain infrastructure components such as AWS Key Management Service configurations, CI/CD pipeline permissions, or contractor credential hygiene. The exploit was not a Solidity vulnerability; it was an infrastructure operations security failure. This represents a category of risk that is structurally outside the scope of conventional smart contract auditing, and Resolv's public security page did not document continuous runtime monitoring or penetration testing of its off-chain backend as part of its security posture.","heading":"Smart Contract Audit History","severity":"high","sources":[{"credibility":1,"name":"Resolv Security Documentation — Official Docs","type":"official","url":"https://docs.resolv.xyz/litepaper/resources/security"},{"credibility":2,"name":"Pashov Audit Group — Resolv Security Review (October)","type":"research","url":"https://github.com/pashov/audits/blob/master/team/md/Resolv-security-review-October.md"},{"credibility":2,"name":"Resolv Liquidity Pool Smart Contract Audit — Cyberscope","type":"research","url":"https://www.cyberscope.io/audits/coin-resolv-liquidity-pool"},{"credibility":2,"name":"Resolv Labs $25M Exploit: Unchecked Mint (Explained) — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/resolv-labs-exploit-explained"}]},{"content":"Resolv Protocol issues USR, an Ethereum-collateralized stablecoin that uses delta-neutral hedging via perpetual futures short positions to maintain its USD peg. For each unit of ETH deposited as collateral, the protocol holds a corresponding short perpetual futures position, theoretically neutralizing directional price risk. The protocol does not require overcollateralization for USR minting, distinguishing it from systems such as MakerDAO. Residual risks — including funding rate volatility, counterparty credit risk from centralized exchanges, basis risk between spot and perpetual markets, and protocol-specific operational risks — are segregated into the RLP (Resolv Liquidity Pool) token. RLP holders absorb losses in exchange for higher yield, functioning as a leveraged insurance layer. Key structural risks acknowledged by Resolv's own documentation include: (1) Funding rate risk — perpetual futures funding rates can turn negative, reducing or eliminating USR yield; historically extreme rates have reached negative 0.6% in a single 8-hour period. (2) Counterparty and credit risk — the protocol maintains short positions on centralized exchanges (CEXes), exposing collateral to exchange insolvency risk analogous to the FTX collapse of 2022; Resolv addresses this in part by holding collateral in off-exchange institutional custodians. (3) Basis risk — divergence between ETH spot and perpetual futures prices during market dislocations can cause temporary mismatch. (4) Liquidity risk — during market stress, futures liquidity contraction and cascade liquidations could impair the protocol's ability to rebalance positions. (5) The pre-hack architecture placed a single unchecked off-chain private key (SERVICE_ROLE) as the only gate for minting, with no on-chain collateral ratio enforcement, which was the direct enabler of the March 2026 exploit.","heading":"Protocol Mechanism and Structural Risks","severity":"high","sources":[{"credibility":1,"name":"Delta-neutral is not risk-free: How Resolv mitigates architecture-specific risks — Resolv Labs Blog","type":"official","url":"https://resolv.xyz/blog/delta-neutral-risk-free-how-resolv-mitigates-architecture-specific-risks"},{"credibility":2,"name":"Resolv Protocol Review: A Delta-Neutral Stablecoin Backed by ETH and BTC — Coin Bureau","type":"news_article","url":"https://coinbureau.com/review/resolv-protocol-review/"},{"credibility":2,"name":"Understanding the Resolv Protocol — OSL Academy","type":"news_article","url":"https://www.osl.com/en/academy/article/understanding-the-resolv-resolv-protocol"},{"credibility":2,"name":"The Resolv Hack: How One Compromised Key Printed $23 Million — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-resolv-hack/"}]},{"content":"The RLP (Resolv Liquidity Pool) token is designed to function as the protocol's first-loss tranche, absorbing all risks that would otherwise threaten USR's peg stability. RLP holders earn higher yield than USR holders in exchange for this risk subordination. In normal operation, the protocol's Target Capital Adequacy mechanism suspends new USR minting if the RLP pool's liquidity falls below a minimum threshold, providing a circuit breaker. However, the March 2026 exploit demonstrated that this protection mechanism was ineffective against an off-chain compromise: because the exploit bypassed on-chain validation entirely, the Capital Adequacy checks were never triggered. RLP holders suffered direct and disproportionate losses as the protocol's liability exceeded its assets following the exploit. The protocol's reported $173 million in liabilities against $95 million in assets post-exploit indicates that the RLP buffer was entirely consumed and the losses extended beyond the RLP layer to affect USR holders. Prospective RLP holders should note that the token is effectively a leveraged position on the sustainability of the delta-neutral strategy, centralized exchange counterparty solvency, and the operational security of Resolv's off-chain infrastructure — all of which are materially harder to audit or price than on-chain smart contract risk.","heading":"RLP Token Risk Profile","severity":"high","sources":[{"credibility":1,"name":"Resolv RLP — Official Protocol Page","type":"official","url":"https://resolv.xyz/rlp"},{"credibility":2,"name":"Resolv Liquidity Provider Token Exploit Triggers $25M Loss and Depeg of USR Stablecoin — Ainvest","type":"news_article","url":"https://www.ainvest.com/news/resolv-liquidity-provider-token-exploit-triggers-25m-loss-depeg-usr-stablecoin-2603/"},{"credibility":2,"name":"Resolv hack deepens DeFi fallout as critical stablecoin risks — Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/03/23/resolv-hack-defi-stablecoin-risks/"}]},{"content":"Resolv Labs was founded in June 2023 and is incorporated in Abu Dhabi, UAE. The three co-founders are Ivan Kozlov (CEO), Fedor Chmilev (CTO), and Tim Shekikhachev (CPO). All three are publicly named and have professional histories in traditional finance and technology. Kozlov's background is in structured products in traditional finance; Chmilev previously worked at Revolut; Shekikhachev has experience at Citibank in financial derivatives. All three are reported to have graduated from Russian engineering institutions including Moscow Power Engineering Institute, Moscow State University, and Moscow Institute of Physics and Technology. The team's real-world identities are disclosed, reducing anonymous team risk. However, the March 2026 post-mortem revealed that contractor credential management practices were inadequate — specifically, contractor accounts with broad infrastructure access were not deprovisioned after engagements ended, a lapse in operational security that directly enabled the exploit. The company raised a $10 million seed round in April 2025, led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, Arrington Capital, Robot Ventures, Animoca Ventures, Gumi Cryptos, and others.","heading":"Team and Transparency","severity":"low","sources":[{"credibility":1,"name":"Resolv Labs Raises $10M as Crypto Investor Appetite for Yield-Bearing Stablecoins Soars — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/04/15/resolv-labs-raises-usd10m-as-crypto-investor-appetite-for-yield-bearing-stablecoins-soars"},{"credibility":2,"name":"Resolv Labs' Ivan Kozlov On His Startup's $10 Million Seed — Incarabia","type":"news_article","url":"https://en.incarabia.com/resolv-labs%E2%80%99-ivan-kozlov-on-his-company%E2%80%99s-us10-million-seed-732860.html"},{"credibility":2,"name":"Resolv Labs Founders and Board — Tracxn","type":"other","url":"https://tracxn.com/d/companies/resolv-labs/__vI3evMwzg8BmrRaYcCQyu6n1ZG4WjHYV_6Y_gds3CS0/founders-and-board-of-directors"},{"credibility":1,"name":"Resolv Postmortem: March 22, 2026 Incident (Official)","type":"official","url":"https://resolv.xyz/blog/resolv-postmortem-march-22-2026-incident"}]},{"content":"Prior to the March 2026 exploit, Resolv Protocol had achieved significant traction in the yield-bearing stablecoin segment. As of approximately March 21, 2026 — one day before the attack — the protocol held approximately $34.3 million in TVL per DeFi Llama data, though some sources cited TVL as high as $450 million during peak growth in April 2025 at the time of its seed round announcement. Following the exploit and subsequent protocol halt, TVL collapsed materially. The RESOLV governance token, distributed via airdrop to early protocol participants, traded at a market capitalization of approximately $14.5 million post-incident against a circulating supply of approximately 390 million tokens and a maximum supply of one billion. The protocol was paused on March 22, 2026, with smart contracts halted and backend services suspended. As of the post-mortem and subsequent communications, the team was executing infrastructure remediation, rebuilding access controls, and processing a tiered user compensation plan. The protocol announced intentions to resume operations with significantly revised off-chain security architecture, including elimination of single-key minting authority and implementation of independent on-chain collateral validation. Resolv also announced a new institutional product line, Vault Street, focused on real-world asset strategies.","heading":"TVL, Market Position, and Operational Status","severity":"medium","sources":[{"credibility":2,"name":"Resolv TVL, Fees and Revenue — DeFi Llama","type":"onchain","url":"https://defillama.com/protocol/resolv"},{"credibility":1,"name":"Resolv stablecoin crashes 70% as attacker extracts $25 million in ETH — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/23/resolv-stablecoin-drops-70-after-usd80-million-exploit-after-attacker-mints-usr"},{"credibility":1,"name":"Resolv Labs Raises $10M Seed — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/04/15/resolv-labs-raises-usd10m-as-crypto-investor-appetite-for-yield-bearing-stablecoins-soars"}]},{"content":"Resolv Labs is incorporated in Abu Dhabi, UAE, and USR is a crypto-collateralized, algorithmically managed stablecoin rather than a fiat-backed payment stablecoin. As such, USR is structurally distinct from stablecoins targeted by the U.S. GENIUS Act (2026) or the EU MiCA framework, which primarily apply to fiat-referenced, centrally-issued payment tokens. No SEC, CFTC, or other regulatory enforcement actions against Resolv Labs or its principals have been identified in available sources as of May 2026. However, the March 2026 exploit and the protocol's subsequent functional insolvency may attract regulatory scrutiny in the UAE, where the company is domiciled, as well as in jurisdictions where USR was actively marketed or traded. Additionally, the use of perpetual futures on centralized exchanges as a core protocol mechanism introduces potential exposure to derivative trading regulations. The protocol has stated it is working with law enforcement in connection with the March 2026 exploit. No formal charges or investigations have been publicly disclosed.","heading":"Regulatory Considerations","severity":"medium","sources":[{"credibility":2,"name":"Stablecoin Regulation in 2026: Who Regulates Them — KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/en-stablecoin-regulation-in-2026-who-regulates-them-compliance-status-and-most-regulated-coins"},{"credibility":1,"name":"Resolv Postmortem: March 22, 2026 Incident (Official)","type":"official","url":"https://resolv.xyz/blog/resolv-postmortem-march-22-2026-incident"}]}],"sources_used":[{"name":"Resolv Postmortem: March 22, 2026 Incident — Official","type":"official","url":"https://resolv.xyz/blog/resolv-postmortem-march-22-2026-incident"},{"name":"Resolv stablecoin crashes 70% as attacker extracts $25 million in ETH — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/23/resolv-stablecoin-drops-70-after-usd80-million-exploit-after-attacker-mints-usr"},{"name":"Resolv's USR stablecoin depegs after attacker mints 80 million unbacked tokens — The Block","type":"news_article","url":"https://www.theblock.co/post/394582/resolvs-usr-stablecoin-depegs-after-attacker-mints-80-million-unbacked-tokens-extracts-roughly-25-million"},{"name":"The Resolv Hack: How One Compromised Key Printed $23 Million — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-resolv-hack/"},{"name":"Resolv Labs $25M Exploit: Unchecked Mint (Explained) — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/resolv-labs-exploit-explained"},{"name":"How $25 Million Disappeared in 17 Minutes — CoinsBench","type":"research","url":"https://coinsbench.com/how-25-million-disappeared-in-17-minutes-a-code-level-autopsy-of-the-resolv-hack-5498785957f6"},{"name":"Resolv Security Documentation — Official Docs","type":"official","url":"https://docs.resolv.xyz/litepaper/resources/security"},{"name":"Resolv Labs Raises $10M Seed Round — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/04/15/resolv-labs-raises-usd10m-as-crypto-investor-appetite-for-yield-bearing-stablecoins-soars"},{"name":"Delta-neutral is not risk-free — Resolv Labs Blog","type":"official","url":"https://resolv.xyz/blog/delta-neutral-risk-free-how-resolv-mitigates-architecture-specific-risks"},{"name":"Resolv TVL, Fees and Revenue — DeFi Llama","type":"onchain","url":"https://defillama.com/protocol/resolv"},{"name":"Pashov Audit Group — Resolv Security Review","type":"research","url":"https://github.com/pashov/audits/blob/master/team/md/Resolv-security-review-October.md"},{"name":"Resolv Liquidity Pool Smart Contract Audit — Cyberscope","type":"research","url":"https://www.cyberscope.io/audits/coin-resolv-liquidity-pool"},{"name":"A Deepdive into the Resolv Labs Hack — Cointegrity Substack","type":"research","url":"https://cointegrity.substack.com/p/a-deepdive-into-the-resolv-labs-hack"},{"name":"Resolv Labs $25M Exploit on Ainvest","type":"news_article","url":"https://www.ainvest.com/news/resolv-liquidity-provider-token-exploit-triggers-25m-loss-depeg-usr-stablecoin-2603/"},{"name":"Resolv Labs Raises $10M Seed Round Led by Cyber.Fund — Wamda","type":"news_article","url":"https://www.wamda.com/2025/04/resolv-labs-raises-10-million-seed-round-led-cyberfund"}],"summary":"Resolv Labs is a UAE-based DeFi startup that operates the Resolv Protocol, issuing the USR delta-neutral stablecoin backed by ETH collateral hedged with perpetual futures short positions. On March 22, 2026, an attacker compromised the protocol's off-chain signing infrastructure via stolen contractor credentials, minting approximately 80 million unbacked USR tokens and extracting roughly $25 million in ETH, causing USR to depeg by up to 97% within minutes. The protocol acknowledged effective insolvency in the immediate aftermath and has since initiated a tiered compensation plan while rebuilding infrastructure security.","timeline":[{"date":"2023-06-01","event":"Resolv Labs founded in Abu Dhabi by Ivan Kozlov, Fedor Chmilev, and Tim Shekikhachev.","source":"Tracxn / Zoonop","source_url":"https://zoonop.com/articles/resolv-labs"},{"date":"2024-05-01","event":"First smart contract audits conducted by MixBytes and Pessimistic Security covering token and staking contracts.","source":"Resolv Security Documentation","source_url":"https://docs.resolv.xyz/litepaper/resources/security"},{"date":"2024-11-01","event":"Sherlock and MixBytes conduct comprehensive audits of core treasury and token contract infrastructure.","source":"Resolv Security Documentation","source_url":"https://docs.resolv.xyz/litepaper/resources/security"},{"date":"2025-04-15","event":"Resolv Labs closes $10 million seed round led by Cyber.Fund and Maven11, with participation from Coinbase Ventures, Arrington Capital, Robot Ventures, and Animoca Ventures among others.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2025/04/15/resolv-labs-raises-usd10m-as-crypto-investor-appetite-for-yield-bearing-stablecoins-soars"},{"date":"2026-03-22","event":"Attacker compromises Resolv Labs' AWS KMS signing infrastructure via stolen contractor GitHub credentials, minting 80 million unbacked USR tokens and extracting approximately $25 million in ETH. USR depegs to $0.025 within 17 minutes.","source":"Resolv Official Post-mortem / CoinDesk / The Block","source_url":"https://resolv.xyz/blog/resolv-postmortem-march-22-2026-incident"},{"date":"2026-03-22","event":"Resolv team pauses smart contracts at 05:16 UTC and revokes compromised credentials at 05:30 UTC. Protocol engages Hypernative, Hexens, MixBytes, SEAL 911, Mandiant, and ZeroShadow for forensic response.","source":"Resolv Official Post-mortem","source_url":"https://resolv.xyz/blog/resolv-postmortem-march-22-2026-incident"},{"date":"2026-03-23","event":"Resolv announces recovery framework and begins enabling redemptions for pre-incident USR holders. Protocol acknowledges approximately $95 million in assets against $173 million in liabilities.","source":"Ainvest / DailyCoin","source_url":"https://www.ainvest.com/news/resolv-25m-flow-95m-asset-drain-23m-extraction-2603/"},{"date":"2026-04-04","event":"Resolv Labs publishes official post-mortem detailing the full attack chain, security failures, and recovery steps taken.","source":"Resolv Official Blog","source_url":"https://resolv.xyz/blog/resolv-postmortem-march-22-2026-incident"},{"date":"2026-05-27","event":"Resolv Foundation announces a tiered compensation plan to make affected users whole and stabilize the ecosystem.","source":"CoinMarketCap / Latest Resolv News","source_url":"https://coinmarketcap.com/cmc-ai/resolv/latest-updates/"}]},"v":1}