Compromised Infrastructure Leads to $24.5M Theft from Resolv DeFi Platform

The decentralized finance (DeFi) protocol Resolv has suspended operations following a sophisticated perimeter breach that resulted in the theft of approximately $24.5 million in Ethereum (ETH). The incident, which targeted the protocol’s off-chain administrative infrastructure, triggered an illicit minting of $80 million in uncollateralized USR stablecoins and a subsequent collapse of the asset’s dollar peg.

The Exploit: Infrastructure Over Code

The breach did not involve a traditional smart contract vulnerability. Instead, the attacker gained unauthorized access to Resolv’s cloud environment, specifically targeting its AWS Key Management Service (KMS), according to a post-mortem by Chainalysis.

By compromising the environment where the protocol’s privileged "SERVICE_ROLE" signing key was stored, the threat actor was able to authorize fraudulent minting requests. The Record reported that the attacker deposited a nominal sum of USDC — estimated between $100,000 and $200,000 — and utilized the stolen key to sign off on the creation of 80 million USR tokens, an amount far exceeding the required collateral.

Industry experts noted that while Resolv’s smart contracts had undergone 18 independent audits, the system lacked an on-chain "sanity check" or minting cap that could have prevented a compromised key from generating unlimited assets.

Market Impact and De-pegging

To avoid immediate detection, the attacker converted the illicit USR into "wstUSR" (wrapped staked USR) before swapping the holdings for other stablecoins and eventually 11,408 ETH, per data analyzed by ForkLog.

The sudden influx of unbacked tokens into decentralized exchange (DEX) liquidity pools caused the USR stablecoin to lose its $1.00 parity instantly. USR plummeted to as low as $0.20 over the weekend before a partial recovery. Resolv has urged users to refrain from trading protocol tokens while recovery efforts remain active.

Response and Recovery

In an official statement, Resolv confirmed the root cause was a "compromised private key" and announced several immediate countermeasures. The protocol has temporarily taken its application offline and has enabled redemptions for verified users who held USR at the time of the exploit.

Resolv has also issued an on-chain ultimatum to the attacker, offering a 10% "white hat" bounty — roughly $2.45 million — in exchange for the return of the remaining funds.

The Broader Landscape

The Resolv breach is the latest in a string of high-profile DeFi incidents in 2026, including major losses at Step Finance and Truebit. Security researchers suggest these events mark a strategic shift: hackers are increasingly prioritizing "off-chain" vulnerabilities, such as cloud infrastructure and administrative access, over complex code-based exploits.

The CyberSignal Analysis

The Resolv breach serves as a stark reminder that the "security of the cloud" is just as critical as the security of the code. While the industry often fixates on smart contract audits, this incident highlights a growing trend where threat actors bypass complex cryptography to target the underlying infrastructure.

For security leaders, the takeaway is clear: Identity is the new perimeter. Whether it is a corporate login or an administrative signing key in AWS, the compromise of a single privileged identity can render even the most rigorously audited software defenseless. As DeFi protocols continue to integrate with traditional cloud services, bridging the gap between on-chain logic and off-chain access management must become a top priority for 2026.