On March 22, 2026, the DeFi protocol Resolv became the latest casualty in a growing wave of infrastructure-level attacks that have nothing to do with smart contract bugs and everything to do with how decentralized systems rely on centralized cloud services. An attacker extracted approximately $25 million in ETH by minting 80 million unbacked USR stablecoins through a compromised privileged signing key stored in Amazon Web Services Key Management Service. The stablecoin depegged by 80 percent within minutes. What makes this incident particularly alarming is that Resolv had undergone 14 security audits from five different firms and maintained a $500,000 bug bounty on Immunefi. None of these measures caught the vulnerability because the attack surface existed entirely outside the smart contract layer.
The Exploit Mechanics
The attack exploited a fundamental design weakness in Resolv’s token minting architecture. Unlike fully autonomous on-chain protocols, Resolv uses a two-step off-chain process for minting its USR stablecoin. First, a user deposits USDC into the USR Counter contract through a function called requestSwap. Then, an off-chain service controlled by a privileged private key known as the SERVICE_ROLE reviews the request and calls back via completeSwap to finalize the minting amount.
The critical flaw was straightforward: the smart contract enforced a minimum USR output but imposed no maximum limit. There was no on-chain ratio check between collateral deposited and USR minted. No price oracle verification. No cap on minting. Whatever the SERVICE_ROLE key holder signed would be executed without question. The attacker deposited between $100,000 and $200,000 in USDC and then used the compromised key to authorize the creation of 80 million USR tokens across two primary transactions: one minting 50 million USR and another minting 30 million USR.
Affected Systems
The breach propagated through multiple layers of Resolv’s infrastructure. The attacker first gained access to Resolv’s AWS KMS environment, where the protocol stored its privileged signing key. With control over the KMS, the attacker could authorize any minting operation as if it were legitimate. After minting the unbacked USR, the attacker converted it to a staked version called wstUSR and gradually swapped it into other stablecoins before finally converting everything into ETH.
The impact extended beyond the immediate $25 million loss. The flood of 80 million unbacked USR tokens caused the stablecoin’s price to plummet by approximately 80 percent, affecting every holder and liquidity provider in the Resolv ecosystem. The protocol was forced to halt operations entirely while the team assessed the damage and worked on a recovery plan. At the time, Bitcoin was trading around $70,500 and Ethereum at $2,155, providing the broader market context in which this attack unfolded.
The Mitigation Strategy
Securing DeFi protocols against this class of attack requires a fundamental shift in how developers think about trust boundaries. The smart contract code worked exactly as designed. The failure occurred in the off-chain infrastructure that the contract blindly trusted. Effective mitigation demands on-chain enforcement of maximum minting ratios regardless of what the off-chain service authorizes. Price oracle integration would provide a secondary check, ensuring that minted amounts remain proportional to actual collateral values.
Hardware security modules should replace cloud-based key management for privileged operations. Multi-signature schemes, where multiple independent parties must authorize sensitive operations, would prevent a single compromised key from enabling unlimited token creation. Real-time on-chain monitoring systems capable of detecting anomalous minting patterns and automatically pausing contracts represent the critical final line of defense when off-chain components are compromised.
Lessons Learned
The Resolv hack reinforces an uncomfortable truth that the DeFi community has been slow to accept: the security of a protocol is only as strong as its weakest external dependency. Fourteen audits and a half-million-dollar bug bounty are meaningless if the attack vector exists outside the audited code. As DeFi protocols increasingly integrate off-chain services, cloud infrastructure, and external key management systems, the attack surface grows far beyond what traditional smart contract audits can cover.
The industry needs to adopt a holistic security posture that treats off-chain infrastructure as a first-class attack surface. Cloud environments, CI/CD pipelines, and key management systems deserve the same level of scrutiny and hardening that smart contracts receive. Protocols that fail to recognize this reality will continue to discover that their multi-million-dollar security investments can be rendered irrelevant by a single compromised AWS key.
User Action Required
Users who held USR or interacted with the Resolv protocol around March 22, 2026 should monitor official Resolv communications for recovery plans and reimbursement procedures. Any wallets that interacted with the affected contracts should be checked for unauthorized approvals. Going forward, users should evaluate DeFi protocols not just by their audit count but by their key management architecture and whether they enforce on-chain limits on privileged operations. Bitcoin trades at $70,517 and Ethereum at $2,155 as the market absorbs yet another reminder that off-chain trust assumptions remain the soft underbelly of decentralized finance.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
depegging 80% in minutes because of an AWS key. we keep calling these DeFi failures but theyre really Web2 infrastructure failures wearing a DeFi mask
Another day, another massive exploit. It’s wild that a $25M protocol still relies on a single AWS key for critical infrastructure. We keep talking about ‘decentralization,’ but if your cloud security is this centralized, the smart contracts don’t even matter. Hope other teams are double-checking their IAM roles after this disaster.
80 million USR minted from $200K in collateral with no max cap check. the smart contract literally trusted whatever the off-chain key signed
This is exactly why I’m hesitant to move my stack into newer protocols. Hardware security modules (HSMs) should be standard for anything handling this much capital. One mistake by a dev and the whole thing vanishes? Pure insanity. Devs need to prioritize security over shipping fast every single time.
Sarah Jenkins 14 audits and none of them looked at the AWS key management. thats the problem with audit scope. they check the smart contract and ignore everything around it