Protocol to Bandit: 'Keep Your 10% Bounty, Send Back the Rest Before We Unleash the Chain KYC'

Resolv Labs has slid into the DMs of Sunday’s $25 million digital bandit with a classic degen deal: pocket a 10% ‘finder’s fee’ for your troubles, but cough up the other 90% within 72 hours. The Abu Dhabi-based stablecoin shop dropped a return address and gave the exploiter until Thursday to send back roughly $22.5 million in ETH, plus any leftover USR tokens—no questions asked.

The proposal even includes a ‘white hat’ backdoor, inviting the attacker to shoot them an email and claim the whole heist was just some extremely enthusiastic, unauthorized penetration testing. It’s the crypto equivalent of saying the dog ate your homework, if the dog was a malicious actor and the homework was $25 million.

Non-compliance will trigger what the protocol ominously calls ‘escalation measures.’ This translates to Resolv calling in every IOU from CEXs, bridges, and infrastructure providers to try and freeze the loot. They'll also dox the attacker’s addresses for the public shaming, hire blockchain bloodhounds, and finally, bring in the fiat-world cops—the ultimate rug pull for any rogue address.

The exploit itself was a beautifully simple yet brutally effective one. Early Sunday, the attacker deposited a cool $200k in USDC into Resolv's USR Counter contract. This minted them a casual 50 million USR. A follow-up transaction conjured another 30 million out of thin air. They then dumped all that freshly printed paper across DEXs for stablecoins and finally converted the entire haul into 11,409 ETH—a masterclass in ‘print, sell, repeat.’

Analysts quickly fingered the culprit: a privileged minting role controlled by a single wallet. This role came with no minting limits, no oracle checks, and no multi-sig requirements—a trifecta of negligence that would make any auditor facepalm. It was less a vault and more a door with a ‘Take What You Want’ sign.

In its onchain message, Resolv stressed that while a protocol flaw left the door wide open, the act itself was pure malice, creating a mountain of unbacked tokens that could give the market a serious case of indigestion. It’s the difference between finding an unlocked car and deciding to steal it versus joyride it.

Separately, Resolv Digital Assets Ltd. says it's doing the post-hack walk of shame, contacting all allowlisted users who held USR when the music stopped. Redemptions for that unlucky group are now open, with updates for the rest of the bagholders promised soon—because in crypto, you’re either the exploiter, the exploited, or waiting for your turn to be made whole.