How Resolv Lost $25M: The Full Story Behind the 80M USR Mint Attack

TLDR:

• Attackers minted 80M USR tokens illegally by hijacking Resolv’s off-chain signing infrastructure on March 22, 2026.
  
• A compromised contractor’s GitHub credential from a third-party project served as the initial entry point into Resolv’s systems.
  
• Around 46M of the illicitly minted USR was neutralized through direct burns and blacklist deployment after a timelock period.
  
• Resolv is now introducing on-chain mint caps, OIDC-based authentication, and automated pause mechanisms to prevent future breaches.

Resolv Protocol fell victim to a sophisticated cyberattack on March 22, 2026, resulting in a $25 million loss. Attackers exploited off-chain signing infrastructure to mint 80 million USR tokens without proper authorization.

The breach unfolded across multiple organizations and infrastructure layers. Resolv has since contained the attack, revoked all compromised credentials, and paused most protocol operations.

Pre-hack USR holders are being compensated on a 1:1 basis, with most redemptions already processed.

How Attackers Moved From a Third-Party Breach Into Resolv’s Core Systems

The attack began outside Resolv’s own infrastructure entirely. A contractor had previously contributed to a third-party project that was separately compromised.

The attackers obtained a GitHub credential linked to that contractor’s account. That single credential opened a door into Resolv’s code repositories.

Once inside, the attackers deployed a malicious GitHub workflow. This workflow quietly extracted sensitive infrastructure credentials without triggering outbound network detection.

Resolv confirmed in its postmortem that the attackers “removed their own access from the repository to minimize their forensic footprint” after pulling those credentials.

The extracted credentials then gave them entry into Resolv’s cloud environment. Over several days, the attackers conducted quiet reconnaissance, mapping services and probing for API keys tied to third-party integrations. They worked methodically before moving toward execution.

Gaining signing authority over the minting key was not straightforward. Multiple escalation attempts failed due to existing access controls.

As Resolv’s postmortem noted, the attackers ultimately used “a higher-privileged role’s policy management capabilities to modify the key’s access policy directly, granting themselves signing authority.”

How the Protocol Responded and What Changes Are Now Underway

Real-time monitoring flagged the first anomalous transaction within approximately one hour of the initial mint. The team then began preparing to pause contracts, halt backend services, and revoke compromised credentials. At 05:16 UTC, all relevant smart contracts with pause functionality were fully paused on-chain.

By 05:30 UTC, revoked credentials had severed the attackers’ cloud access entirely. Resolv noted that “forensic logs confirm that the attackers had been active as recently as 05:15 UTC,” meaning containment happened while the threat was still live. Around 46 million of the 80 million illicitly minted USR has since been neutralized through burns and blacklisting.

Resolv engaged several external firms to assist with recovery. These include Hexens for infrastructure forensics, MixBytes for smart contract audit, SEAL 911 for emergency coordination, and Hypernative for real-time monitoring. Mandiant and ZeroShadow are also set to join the broader investigation.

Going forward, Resolv plans to replace CI/CD credentials with OIDC-based authentication. The team stated it is “implementing on-chain mint caps and oracle-based price validation for minting operations” as part of its remediation plan.

Automated emergency pause mechanisms connected to live monitoring are also in development to prevent similar delays in future incident response.