Resolv Caps Exploit Loss at $34 Million with Contract Upgrade to Destroy Hacker Tokens

Resolv Labs executed an on-chain contract upgrade on April 6, 2026 to permanently burn 36.73 million wstUSR and stUSR tokens that were under the control of an attacker, capping the protocol’s estimated net loss from the March 22 exploit at approximately $34 million.

The attacker had used a compromised AWS-hosted private key to mint 80 million unbacked USR tokens with only $100,000 to $200,000 in collateral, swapping 34 million USR for 11,409 ETH (worth about $24.5 million) before liquidity was exhausted, while the remaining tokens were burned by the protocol’s upgrade.

Resolv Uses Contract Upgrade to Destroy Hacker’s Tokens

The upgrade transaction, confirmed on-chain, first unwrapped the stUSR to USR before sending both to the zero address, rendering the tokens irretrievable by anyone, including the hacker. Resolv had previously paused the protocol and offered a 10% white-hat bounty, but the hacker showed no interest in a peaceful resolution, prompting the team to exercise its upgrade authority to destroy the remaining tokens.

The exploit occurred on March 22, 2026, when an attacker used a single compromised AWS-hosted private key controlling the SERVICE_ROLE to approve two large mints. The protocol issued 80 million unbacked USR tokens despite the attacker depositing only $100,000 to $200,000 in USDC as collateral. The hacker quickly swapped 34 million USR for 11,409 ETH, approximately $24.5 million at the time, before liquidity was spent. The remaining tokens lay dormant in the exploiter’s wallets, mostly wrapped as wstUSR.

The depeg resulting from the hacker’s actions caused USR to fall as low as $0.025 on Curve. Resolv’s contract upgrade has been criticized in the past as a centralization risk, similar to levers considered by other projects such as Flow, but the maneuver successfully capped the protocol’s total estimated losses to about $34 million.

DeFi Protocols Suffer Blast Radius from Resolv Exploit

DeFi protocols with exposure to Resolv’s vaults were caught in the blast radius. Morpho vaults absorbed millions in bad debt, triggering massive outflows. Trading Strategy, a DeFi analytics platform, noted that many vaults became illiquid as a result of the Resolv private key compromise, with collateral turning worthless overnight. Some Morpho vaults suddenly showed high yields, but those vaults were illiquid, and depositors were unlikely to be able to withdraw.

Good curators prevented new deposits by setting maximum deposits to zero, but the vault standard does not have a separate flag for “broken” vaults, only “max capacity reached.” Trading Strategy is manually blacklisting problematic vaults, but the process takes time.

Broader DeFi Hack Pattern Continues with Drift and Balancer

The Resolv exploit adds to a grim pattern of large-scale DeFi hacks. Just weeks before Resolv, Balancer Labs, the for-profit entity behind the pioneering automated market maker, announced it was shutting down after losing $128 million in a November 2025 attack. Balancer’s CEO cited ongoing legal fallout and financial toll from the hack, which drained liquidity pools through manipulated vault interactions. The Balancer DAO and protocol remain alive, but the core development company has effectively ended.

April 2026 began with the Drift Protocol reporting a $285 million loss on April 1, linked to North Korean state-sponsored hackers. For Resolv, presenting a final loss figure of $34 million provides a clear baseline for recovery, buying the protocol time that Balancer did not enjoy. Operations remain paused.

FAQ

How did the Resolv exploit happen?

An attacker compromised a single AWS-hosted private key controlling the SERVICE_ROLE, allowing them to mint 80 million unbacked USR tokens with only $100,000–$200,000 in collateral. They swapped 34 million USR for 11,409 ETH (≈$24.5 million) before liquidity was exhausted. Resolv later burned the remaining 36.73 million tokens via a contract upgrade.

What is the final estimated loss for Resolv?

Resolv’s net loss is approximately $34 million. The attacker extracted about $24.5 million in ETH, and the protocol’s upgrade prevented further losses by destroying the remaining hacker-held tokens.

What other DeFi protocols have been affected by recent hacks?

Balancer Labs shut down after a $128 million hack in November 2025, and Drift Protocol suffered a $285 million exploit on April 1, 2026. Morpho vaults also absorbed bad debt from the Resolv incident, becoming illiquid and causing massive outflows.