How Resolv Lost $25M: The Full Story Behind the 80M USR Mint Attack

The post How Resolv Lost $25M: The Full Story Behind the 80M USR Mint Attack appeared on BitcoinEthereumNews.com.

TLDR: Attackers minted 80M USR tokens illegally by hijacking Resolv’s off-chain signing infrastructure on March 22, 2026. A compromised contractor’s GitHub credential from a third-party project served as the initial entry point into Resolv’s systems. Around 46M of the illicitly minted USR was neutralized through direct burns and blacklist deployment after a timelock period. Resolv is now introducing on-chain mint caps, OIDC-based authentication, and automated pause mechanisms to prevent future breaches. Resolv Protocol fell victim to a sophisticated cyberattack on March 22, 2026, resulting in a $25 million loss. Attackers exploited off-chain signing infrastructure to mint 80 million USR tokens without proper authorization. The breach unfolded across multiple organizations and infrastructure layers. Resolv has since contained the attack, revoked all compromised credentials, and paused most protocol operations. Pre-hack USR holders are being compensated on a 1:1 basis, with most redemptions already processed. How Attackers Moved From a Third-Party Breach Into Resolv’s Core Systems The attack began outside Resolv’s own infrastructure entirely. A contractor had previously contributed to a third-party project that was separately compromised. The attackers obtained a GitHub credential linked to that contractor’s account. That single credential opened a door into Resolv’s code repositories. Once inside, the attackers deployed a malicious GitHub workflow. This workflow quietly extracted sensitive infrastructure credentials without triggering outbound network detection. Resolv confirmed in its postmortem that the attackers “removed their own access from the repository to minimize their forensic footprint” after pulling those credentials. https://t.co/vuNDr5CTa4 — Resolv Labs (@ResolvLabs) April 4, 2026 The extracted credentials then gave them entry into Resolv’s cloud environment. Over several days, the attackers conducted quiet reconnaissance, mapping services and probing for API keys tied to third-party integrations. They worked methodically before moving toward execution. Gaining signing authority over the minting key was not straightforward. Multiple escalation attempts failed due…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ April 5, 2026 2:25 pm