Resolv Compromised Key: How a Single Credential Printed $23M
resolvusr stablecoinaws kmsservice_role keymitre att&ckdefi securitycybersecuritystablecoin depegkey managementcloud securityblockchain securitycrypto hack

Resolv Compromised Key: How a Single Credential Printed $23M

By Daniel MarshMarch 24, 2026

How a Single Compromised Key Printed $23 Million in Unbacked Stablecoins

Discussions in DeFi often focus on smart contract exploits: reentrancy attacks, flash loan manipulations, or logic bugs. While these are frequent attack vectors, the Resolv hack on March 22, 2026, which drained an estimated $23 million from the protocol, highlights a critical vulnerability in off-chain infrastructure. This incident was not a smart contract flaw; rather, it represented a fundamental breakdown in off-chain security, specifically due to a Resolv compromised key, enabling an attacker to mint unbacked stablecoins.

The Incident: Resolv Compromised Key and Off-Chain Trust Failure

Resolv Labs' USR stablecoin, designed to maintain a $1 peg, depegged by 80% within hours. An attacker minted 80 million unbacked USR tokens, converting approximately $25 million into ETH. This left Resolv's DeFi protocol with a significant liability.

This incident was not a typical smart contract vulnerability. The root cause was a Resolv compromised key, specifically the privileged signing key, the SERVICE_ROLE key, located within Resolv's AWS Key Management Service (KMS) environment. This incident underscores the necessity of extending security scrutiny beyond Solidity code to encompass cloud security and robust key management practices.

Attack Chain: Resolv Compromised Key to Unbacked Mint

The core issue was a critical design flaw in Resolv's USR minting system. While the smart contract resided on-chain, the approval mechanism for USR token minting depended entirely on an off-chain service. This service held a highly privileged private key, the SERVICE_ROLE, authorized to approve all minting requests.

The on-chain smart contract lacked crucial safeguards: there was no maximum minting limit, no on-chain collateral-to-USR ratio check, no independent price oracle for value verification, and no cap on minting volume. The contract implicitly trusted the off-chain service without internal validation.

  1. Initial access involved compromising Resolv’s AWS Key Management Service (KMS) environment. The specific vector is currently under investigation, but the attacker successfully extracted the SERVICE_ROLE signing key, effectively a Resolv compromised key (MITRE ATT&CK T1078.004, T1538).
  2. With the compromised SERVICE_ROLE key, the attacker could authorize minting requests, impersonating the legitimate off-chain service. An initial deposit of $100K–$200K in USDC was made.
  3. The attacker authorized two primary transactions, minting 50 million USR, followed by an additional 30 million USR. The on-chain contract, lacking internal validation, processed these requests, creating 80 million unbacked tokens.
  4. To mitigate immediate liquidity issues from a direct dump, the attacker converted the newly minted USR into wstUSR (wrapped staked USR). These tokens were then swapped into other stablecoins and subsequently into ETH, utilizing multiple decentralized exchange (DEX) pools and bridges to obscure the transaction trail and exfiltrate funds.

This was not a sophisticated smart contract exploit, but rather a straightforward credential compromise that succeeded due to insufficient on-chain validation. The smart contract, in its design, blindly trusted an external system without internal checks, operating exactly as intended—which proved to be the critical flaw.

Visualizing the Resolv compromised key and off-chain infrastructure
Visualizing the Resolv compromised key and off-chain infrastructure

The Impact: A Depegged Stablecoin and Liquidation Cascades

The fallout was immediate and severe. Resolv's USR stablecoin, intended to maintain a $1 peg, collapsed by 80% to $0.20. While a partial recovery to $0.56 has occurred, market confidence is significantly eroded. Resolv now faces a $78 million deficit, with $95 million in assets against $173 million in liabilities.

This depeg extended beyond USR holders, triggering liquidations across multiple DeFi platforms that accepted USR as collateral.

The attacker currently holds approximately 11,400 ETH, valued at $24 million, in addition to $1.3 million in wstUSR at current depressed prices.

Protocol Response and Systemic Implications

Resolv Labs quickly suspended all protocol functions and launched an investigation. The team is currently developing a recovery plan and implementing damage control measures, including token burns. Tracking the attacker's wallet activity is ongoing, but recovering the funds will be a major challenge.

This incident offers critical insights for all DeFi protocols relying on off-chain services for functions like minting, oracle feeds, or governance. The protocol had undergone 18 smart contract audits, yet these failed to identify this vulnerability because the problem wasn't in the contract code itself, but in the overall system design and the security of the off-chain infrastructure.

Mitigating Off-Chain Risk in DeFi

The Resolv compromised key incident highlights a critical blind spot in DeFi security. DeFi protocols need to treat their off-chain infrastructure—like AWS accounts, KMS, and private key management—with the same, if not more, scrutiny they apply to their smart contracts.

Smart contracts should never fully trust off-chain approvals. They need strong, built-in validation for all key actions, even if initiated externally. Implement hard caps on minting, real-time collateral ratio checks, and independent price oracle verification directly within the smart contract logic. For example, a circuit breaker that halts minting if the collateral ratio drops below a predefined threshold (e.g., 120% for a 150% target), or if an external oracle feed reports a price deviation exceeding a set tolerance, could have prevented this.

The compromise of a SERVICE_ROLE key in KMS signals a fundamental failure in key management. This type of Resolv compromised key scenario underscores the need for robust security. Protocols must implement FIDO2-compliant multi-factor authentication (MFA) for all privileged AWS accounts. Strict IAM policies enforcing least privilege, regular cloud security posture management (CSPM) audits, and continuous monitoring for anomalous access to KMS are non-negotiable. A single compromised credential, such as an unrotated AWS access key, frequently provides initial access for lateral movement within an environment, leading to broader system compromise.

While smart contract audits are crucial, they represent only one component of a comprehensive security strategy. A multi-faceted approach is essential. This includes comprehensive penetration testing of the entire system—not just the smart contracts—and continuous monitoring for both on-chain and off-chain anomalies. Tools like Cloudflare's Zero Trust platform, for instance, could enforce stricter access controls to the KMS environment and detect anomalous login attempts. This, combined with specialized blockchain analytics for real-time on-chain monitoring of minting events and collateral ratios, would provide a more complete security envelope.

The Resolv incident is a costly reminder that DeFi security isn't just about smart contract code; it's about the entire operational environment. Protocols must operate under the assumption that off-chain keys will eventually be targeted. Consequently, smart contracts require inherent resilience to prevent catastrophic failure, even when external signing keys are compromised, as seen with the Resolv compromised key. This calls for a fundamental rethink of security architecture for any protocol that relies on off-chain components.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.