The $100K Deposit That Unlocked $23 Million

Picture this: you walk into a bank, deposit $100, and hand the teller a signed note authorizing yourself to withdraw $23 million. The teller β€” following the rules exactly as written β€” processes it without blinking. No flags. No secondary check. No alarm.

That’s essentially what happened to Resolv.

Resolv is a DeFi protocol that issues a stablecoin called USR, backed by USDC collateral. Users deposit USDC and receive a matching amount of USR in return. The system is designed to maintain a 1:1 ratio β€” one dollar in, one dollar out.

On March 22, an attacker deposited approximately $100,000–$200,000 in USDC across a handful of transactions. Then they used a stolen cloud signing key to authorize the minting of 80 million USR tokens β€” roughly $25 million worth β€” backed by almost nothing.

By the time Resolv Labs halted the protocol, the attacker had converted those tokens into approximately 11,400 ETH (~$24 million) and was still trying to mint more. USR’s price had collapsed from $1.00 to $0.20 β€” an 80% crash in minutes. Holders who didn’t move fast lost most of their money.

DeFi Minting 101: How It’s Supposed to Work

Before we can understand the exploit, we need to understand how Resolv’s minting mechanism was designed to operate β€” because the hack didn’t break the system. The system did exactly what it was told.

The Two-Step Dance

Resolv’s USR minting isn’t a simple one-click swap like you’d find on Uniswap. Instead, it uses a two-step off-chain approval process:

Step 1 β€” requestSwap: A user deposits USDC into Resolv’s USR Counter smart contract and submits a minting request. The contract logs the deposit and waits.

Step 2 β€” completeSwap: An off-chain service β€” controlled by a special privileged key called the SERVICE_ROLE β€” reviews the request and calls back to the smart contract with a signed message saying how much USR to mint.

This design has a logic to it. Off-chain services can run complex valuation logic, check collateral ratios against real-time data, verify KYC, or apply dynamic limits. The idea is that the blockchain executes, but a trusted service does the thinking.

Where It Goes Wrong: No Ceiling

Here’s the fatal flaw: the smart contract enforced a minimum USR output, but no maximum.

There was no on-chain cap. No price oracle to verify the collateral ratio. No check that said β€œwait β€” this $100K deposit shouldn’t produce 50 million tokens.” Whatever amount the SERVICE_ROLE key signed, the contract would mint. No questions asked.

The entire trust model of the system sat on a single signing key. If that key was secure, the system was fine. If it wasn’t…

Step by Step: How the Hack Unfolded

Step 1: Compromising the AWS KMS Environment

The attacker’s first move was entirely off-chain. They breached Resolv’s cloud infrastructure and gained access to its AWS Key Management Service (KMS) environment β€” the cloud vault where the protocol’s privileged SERVICE_ROLE signing key was stored.

AWS KMS is Amazon’s managed service for creating and controlling cryptographic keys. It’s the same service used by enterprises, banks, and yes, DeFi protocols to store sensitive signing keys in hardware security modules (HSMs). When configured correctly, it’s extremely difficult to compromise.

The specific attack vector β€” how the attacker actually breached the KMS environment β€” has not been publicly disclosed. It may have been phishing, a compromised developer credential, a misconfigured IAM policy, or a supply chain attack. What we know is that once inside, they had the ability to sign anything using Resolv’s own key.

With the SERVICE_ROLE key in hand, the attacker could impersonate Resolv’s own minting service.

Step 2: The Minting Transactions

Armed with the signing key, the attacker submitted two swap requests using modest USDC deposits. Then, using the compromised SERVICE_ROLE key, they called completeSwap with dramatically inflated output amounts:

  • Transaction 1: Authorized the minting of 50 million USR (on-chain)
  • Transaction 2: Authorized the minting of 30 million USR (on-chain)

Total: 80 million USR tokens minted from a ~$100K–$200K collateral base. A $100K deposit leveraged into $25 million in freshly printed stablecoins.

The smart contract didn’t ask why. The signature was valid. The rules said mint. So it minted.

Step 3: Wrapping to Escape Detection

Here’s where it gets clever. The attacker didn’t immediately try to dump 80 million USR on DEX pools β€” that would have crashed the price immediately and triggered liquidity alarms.

Instead, they first converted USR into wstUSR (wrapped staked USR) β€” a derivative token representing a share of Resolv’s staking pool. This move served two purposes:

  1. It obscured the supply shock. wstUSR represents a pool share rather than a fixed number of USR, so the flood wasn’t immediately visible to casual observers.
  2. It moved the position into a more fungible form that could be gradually unwound across multiple liquidity pools without hitting a single pool’s limits.

Step 4: Cashing Out via DEX Rotation

From wstUSR, the attacker systematically rotated through:

  • wstUSR β†’ other stablecoins (USDC, USDT)
  • Stablecoins β†’ ETH

They used multiple DEX pools and bridges to maximize extraction and scatter the on-chain trail. By the time the dust settled, the attacker’s wallet held approximately 11,400 ETH (~$24 million) and ~20 million wstUSR (worth about $1.3 million at the depressed post-hack prices).

The Aftermath: 80% Crash, Protocol Halt

As the 80 million unbacked USR tokens hit the market, liquidity pools couldn’t absorb the flood. USR’s peg β€” the fundamental promise that 1 USR = $1 β€” collapsed.

The token dropped to $0.20 at its lowest point before partially recovering to around $0.56 in the hours that followed. Holders who had deposited real dollars into USR for yield watched 80% of their value evaporate in minutes.

Resolv Labs issued an emergency statement via X (formerly Twitter) and suspended all protocol functions to prevent further damage. The pause came just in time β€” on-chain data shows the attacker was already attempting additional minting transactions when the protocol went dark.

The Real Lesson: Off-Chain Infrastructure Is On-Chain Attack Surface

Here’s the uncomfortable truth that the Resolv hack forces us to confront: in DeFi, the security of your money is only as strong as the weakest link in the system β€” and that link often lives in a cloud server, not on the blockchain.

The smart contract worked perfectly. The blockchain did exactly what it was told. The code was never the problem. The problem was everything that surrounds the code.

Modern DeFi protocols are not purely on-chain systems. They rely on:

  • Off-chain oracles for price feeds
  • Cloud-based signing services for privileged operations
  • AWS, GCP, or Azure for key storage and compute
  • Multi-step approval flows that introduce human and infrastructure dependencies
  • Admin wallets with elevated permissions to pause, upgrade, or adjust parameters

Every one of these off-chain components is an attack surface. And unlike smart contracts β€” which are public, auditable, and immutable β€” cloud infrastructure can be misconfigured, phished, or compromised in ways that are invisible until it’s too late.

Chainalysis, in their post-mortem analysis, framed it precisely: this was β€œoverly trusting off-chain infrastructure.” The protocol treated its own cloud service as an infallible oracle of truth, with no on-chain guardrails to catch an impossible output.

This Is The New Frontier

The DeFi exploit landscape is shifting. Flash loan attacks β€” once the dominant DeFi hack vector β€” require sophisticated understanding of on-chain mechanics. But compromising a developer’s cloud credentials? Phishing an admin? Exploiting a misconfigured IAM policy?

That’s traditional cybersecurity. And traditional cybersecurity attackers are increasingly targeting DeFi protocols because the rewards are enormous and the response times are slow.

Defense Checklist: For Protocol Developers

If you’re building a DeFi protocol β€” or auditing one β€” here’s what the Resolv hack tells you must change:

On-Chain Guardrails (Non-Negotiable)

  • Implement on-chain mint caps. Every minting contract should have a hard maximum output per transaction, per block, and per time period. A $100K deposit should never produce more than $150K in tokens.
  • Add collateral ratio enforcement. The smart contract itself should verify that minted output doesn’t exceed deposited collateral by more than a defined multiplier. Don’t delegate this check to an off-chain service.
  • Deploy circuit breakers. Implement automatic pausing if minting velocity exceeds historical norms by X%. Anomaly detection baked into the contract.
  • Use time-locks for large mints. Minting requests above a threshold (e.g., $1M) should require a time delay, giving monitoring systems time to flag anomalies.

Cloud & Key Management

  • Enforce multi-sig for privileged operations. No single key should have the authority to authorize minting at scale. Require 2-of-3 or 3-of-5 threshold signatures for SERVICE_ROLE operations.
  • Rotate privileged keys regularly. Establish a key rotation schedule and monitor for unauthorized key usage.
  • Apply principle of least privilege to IAM. AWS IAM roles should be scoped to only the exact operations required β€” nothing broader.
  • Enable CloudTrail and alert on anomalous API calls. Unusual KMS sign operations should trigger immediate alerts.
  • Consider hardware security modules (HSMs) with geo-restrictions. Limit where signing can occur physically.

Monitoring & Response

  • Deploy real-time on-chain monitoring (tools like Chainalysis Hexagate, OpenZeppelin Defender, or Tenderly Alerts) to flag anomalous transactions before they complete.
  • Set up alerts for disproportionate minting ratios β€” any completeSwap where output exceeds input by more than 1.5x normal range should page on-call immediately.
  • Have an incident response playbook with a clear chain of command for emergency pausing. Minutes matter.
  • Conduct regular security audits covering both smart contracts AND the off-chain infrastructure. Most auditors only look at the Solidity.

Defense Checklist: For Investors

You can’t audit smart contracts yourself β€” but you can ask the right questions before depositing.

Before You Deposit: Red Flags

  • Ask how minting is controlled. If there’s an off-chain approval step, ask: what prevents that service from being compromised? Is there a maximum on-chain mint cap?
  • Check the audit scope. Did auditors review only the smart contracts, or did they also evaluate the off-chain infrastructure? A clean smart contract audit means nothing if the signing service is a single point of failure.
  • Look for multi-sig on privileged operations. Check if admin functions (pause, upgrade, mint) require multiple signatures. Protocols where a single key has god-mode permissions are inherently riskier.
  • Research the team’s security credentials. Have they disclosed their cloud security practices? Do they have a bug bounty program?
  • Review TVL concentration. How much is locked in the protocol? A protocol holding $500M with a single privileged key is a $500M target.

After You Deposit: Staying Safe

  • Set price alerts on your stablecoin holdings. A stablecoin that loses even 5% of its peg is a warning sign β€” at 10%, start exiting.
  • Don’t chase the highest yield blindly. Higher yields on newer, less-audited protocols often mean higher risk. The Resolv hack hit users chasing yield on a protocol that hadn’t been battle-tested.
  • Diversify across protocols. Don’t hold 100% of your stable assets in a single protocol, no matter how solid it looks.
  • Follow protocol security channels. Most hacks have minutes-to-hours between exploit and public knowledge. Being in the right Discord or Telegram channel can be the difference.

How to Evaluate Protocol Security: A Framework

Before depositing meaningful capital into any DeFi protocol, run it through this checklist:

1. Audit History

Has the protocol been audited? By whom? When? Multiple audits from reputable firms (Trail of Bits, Consensys Diligence, OpenZeppelin) are better than one. Check that audits are recent and that identified issues were actually fixed.

2. Code Architecture

Is minting or any other critical function controlled by a single privileged key? Look for multi-sig requirements, time-locks, and on-chain caps. If the docs say β€œcontrolled by our backend service,” that’s a risk flag.

3. Bug Bounty Program

Does the protocol have an active bug bounty? A healthy bounty program (especially on Immunefi) signals the team takes security seriously and creates economic incentives for white-hat researchers to find issues before black hats do.

4. Incident History

Has the protocol been exploited before? How did the team respond? Protocols that patched vulnerabilities quickly and compensated users transparently demonstrate operational maturity.

5. On-Chain vs. Off-Chain Trust

Map out where the protocol’s trust boundaries are. Everything that happens off-chain is outside the blockchain’s security guarantees. Ask: if the team’s cloud account was compromised tomorrow, what could an attacker do? If the answer is β€œanything,” that’s a serious red flag.

6. Emergency Controls

Does the protocol have a pause mechanism? Who can trigger it? How fast was the team able to respond in previous incidents? Resolv did eventually pause β€” but by then, $23 million was gone.

What Happens Next?

As of this writing, the attacker’s wallet holds ~11,400 ETH. Chainalysis and other blockchain analytics firms are tracking the funds. Whether they’ll be recovered β€” through legal action, exchange freezes, or the attacker’s own mistakes β€” remains to be seen.

Resolv Labs is investigating the breach and working to understand the full scope of the compromise. USR trading has been suspended, and the protocol remains paused while a security review is conducted.

For USR holders, the situation is grim. A token that was supposed to be worth $1 is sitting at a fraction of that, with no clear timeline for recovery or restitution.

The Bottom Line

The Resolv hack is a landmark event in DeFi security β€” not because of its size (there have been larger), but because of what it reveals about where we are in the maturity of the space.

We’ve spent years auditing smart contracts, building formal verification tools, and debating the nuances of reentrancy and flash loan protection. And while those efforts matter, we’ve been guarding the front door while leaving the back door wide open.

The back door is cloud infrastructure. It’s AWS KMS environments. It’s admin keys stored in GitHub secrets. It’s developers with broad IAM permissions and no hardware tokens. It’s off-chain services that the on-chain code trusts unconditionally.

For investors, the message is simple: when evaluating a DeFi protocol, don’t just ask β€œhas the smart contract been audited?” Ask β€œwhat happens if the team’s AWS account gets phished?”

For builders, the message is even simpler: don’t build a trust model that gives a single cloud key the power to print unlimited money. No matter how good your DevSecOps is, that’s a bet you will eventually lose.

The code worked exactly as intended. That’s what makes this hack so important β€” and so instructive.

Sources: Chainalysis Resolv Hack Post-Mortem (March 2026), CoinDesk, DL News, The Block, Resolv Labs X statement. On-chain data via Etherscan.