Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 266Private Key Compromise

Resolv USR Stablecoin Cloud-KMS Drain

Resolv Labs lost $25M after attackers compromised its AWS KMS keys; a $100K USDC deposit minted 50M USR and depegged the stablecoin 74% in 17 minutes.

Date
Victim
Resolv Labs
Chain(s)
Ethereum
Status
Funds Stolen

On March 22, 2026 at 02:21 UTC, attackers compromised Resolv Labs' AWS Key Management Service (KMS) environment and used the protocol's own privileged signing key to mint 80 million unbacked USR stablecoins from a starting position of $100,000 USDC. The USR price crashed from $1.00 to $0.025 in 17 minutes before partially recovering. Total realised loss: approximately $25 million in ETH extracted from the USR Counter contract.

What happened

USR was Resolv's dollar-pegged stablecoin, backed by a delta-neutral hedging strategy using ETH and BTC. Users could mint USR by depositing collateral; redemption mechanics were governed by smart contracts that interacted with both on-chain collateral and off-chain hedge positions.

The minting authority for USR was gated behind a privileged signing key stored in AWS KMS — Amazon's managed service for cryptographic key storage. The standard AWS KMS deployment is meaningfully secure; the keys themselves cannot be exported from the service. Operations are performed by sending requests to the KMS API, authenticated by AWS IAM credentials.

The attacker's path:

  1. Compromised Resolv's AWS cloud environment — specific vector was not publicly detailed but consistent with credential theft, vulnerable cloud-infra misconfiguration, or compromised IAM permissions.
  2. With access to the AWS environment, gained ability to invoke the KMS-stored signing key through the normal API path.
  3. Submitted minting authorisations for USR against arbitrary collateral inputs.
  4. Deposited 100,000 USDC into Resolv's USR Counter contract.
  5. The contract, accepting the KMS-signed minting authorisation, issued 50,000,000 USR to the attacker — 500× the legitimate ratio.
  6. Repeated the operation until ~80M USR had been minted.
  7. Swapped the freshly-minted USR for ETH via Curve and other DEXs before the market priced in the dilution.

Net extraction: ~$25M in ETH before USR's depeg made further extraction unprofitable.

Aftermath

  • USR crashed from $1.00 to $0.025 within 17 minutes of the first malicious mint. It recovered partially to ~$0.85 but has not restored its peg as of public reporting; $0.27 by the following Monday.
  • Resolv Labs published a post-mortem identifying the AWS KMS compromise as the root cause and acknowledging structural design failures including:
    • Single-key controlled privileged minting authority.
    • No oracle or amount checks on individual mint operations.
    • No maximum mint limits to bound per-transaction or per-block damage.
  • Recovery and protocol-restart plans were announced; details continued evolving through April 2026.

Why it matters

The Resolv incident is one of the cleanest cases for why cloud-managed key services do not eliminate operational-security risk — they merely shift it from "the private key file on disk" to "the cloud environment that can invoke the key." The attacker did not exfiltrate the KMS-stored key (they couldn't); they didn't need to. The ability to ask the KMS to sign a payload, on the protocol's behalf, was the entire compromise.

The structural lessons, particularly relevant to 2026 stablecoin and DeFi infrastructure:

  1. Cloud KMS is necessary but not sufficient for high-value signing operations. The IAM permissions, network ACLs, and operational controls around the KMS environment are part of the trust boundary. A KMS environment with broad IAM permissions and weak operational monitoring is structurally equivalent to a hot-wallet key.

  2. Minting paths require explicit invariants beyond signature verification. Resolv's contracts trusted the signed authorisation completely — no per-block mint limits, no collateral-ratio checks, no oracle anchoring. The contract did exactly what the (compromised) signing key told it to do.

  3. Single-key designs for stablecoin issuance are unsafe at scale, regardless of how the key is protected. The mitigations — multi-sig with timelocks, on-chain rate limits, automatic pause on anomaly — exist; their absence in Resolv's design is the underlying cause.

The Resolv incident joins Bybit, Drift Protocol, and others in the 2025-2026 wave of incidents where the protocol's contracts were technically working correctly but the off-chain infrastructure controlling them had been compromised. The pattern is now sufficiently dominant that "smart contract audit" alone is increasingly recognised as covering a shrinking fraction of the actual attack surface.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/markets/2026/03/23/resolv-stablecoin-drops-70-after-usd80-million-exploit-after-attacker-mints-usr
  2. [02]theblock.cohttps://www.theblock.co/post/394582/resolvs-usr-stablecoin-depegs-after-attacker-mints-80-million-unbacked-tokens-extracts-roughly-25-million
  3. [03]decrypt.cohttps://decrypt.co/361984/resolv-labs-stablecoin-depegs-plunges-74-after-25m-exploit

Related filings