Private Key Goes Rogue, Prints $80M in Monopoly Money: The 'Stable'coin That Wasn't

Resolv Labs' USR stablecoin decided to embark on a bold, un-pegged adventure, shedding over 70% of its value after an attacker discovered the protocol's minting function came with a "print unlimited money" cheat code. By wielding a "compromised private key," this digital alchemist transmuted $80 million of pure, uncollateralized hope into USR tokens.

On-chain detectives at Chainalysis tracked the digital bandit as they promptly laundered their freshly printed funny money into wstUSR, then swapped it for other, more reputable stablecoins, before finally cashing out into Ethereum. The final score? A tidy $25 million payday, proving crime does pay—at least until the feds come knocking.

The predictable cascade of doom ensued: USR depegged with the violent grace of a lead balloon, crashing over 74% as the attacker executed their exit liquidity strategy on the backs of bag holders. Resolv Labs' counter-move was to burn roughly $9 million of the fraudulent supply to "reduce the potential impact"—a classic case of bringing a fire extinguisher to a building that's already a smoldering crater.

The protocol is now in cryo-freeze while Resolv coordinates with the authorities and blockchain spies. Their recovery plan involves allowing redemptions for "pre-incident USR," kicking off with a VIP allowlist. Because nothing says "decentralized finance" like a tiered system for who gets made whole first after a catastrophic failure.

Post-mortem analysis points to potential culprits like "manipulated oracles" or "leaked off-chain signer keys." Chainalysis pinpointed the core idiocy: minting approvals depended on a single, off-chain private key, with the smart contract omitting a pesky "max supply" parameter. It's the DeFi version of building a bank with a cardboard door and a welcome mat for thieves.

Crypto fund D2 Finance described the fund-draining operation as a "textbook DeFi hacking cash-out path," with the attacker artfully dumping their USR across multiple liquidity pools. This fiasco proudly takes its place in the recent hall of shame for DeFi security, following Solana's Step Finance shutting down after a $29 million heist and Moonwell's $1.8 million oracle-fueled bad debt debacle.