💰 The Resolv Hack: $23 Million Lost

⭐⭐⭐⭐

Source: chainalysis.com | Hacker News

Tags: DeFi Security Blockchain Cryptocurrency

        核心洞察: 2026年3月22日，攻击者通过入侵 Resolv 的 AWS KMS 环境获取特权私钥，在几分钟内铸造了 8000 万枚无抵押的 USR 稳定币，获利约 2300 万美元——智能合约代码本身没有问题，问题出在链下基础设施
    

What Happened

On March 22, 2026, the Resolv DeFi protocol became the latest example of how quickly things can unravel in DeFi when security assumptions fail. In a matter of minutes, an attacker minted tens of millions of Resolv's unbacked stablecoins (USR) and extracted roughly $23 million in value.

"At first glance, this might look like another smart contract exploit. But it wasn't. The code worked exactly as intended. Instead, it was a case of overly trusting off-chain infrastructure."

Attack Timeline

Step 1: Attacker compromised Resolv's AWS KMS environment to gain access to the privileged signing key
Step 2: Made two swap requests with modest USDC deposits (~$100K-200K), then used the SERVICE_ROLE key to authorize 80 million USR minting
Step 3: Converted USR into wstUSR (wrapped staked USR) to bypass liquidity issues
Step 4: Swapped into stablecoins, then ETH, extracting ~$25 million

Root Cause

The minting design had a critical flaw:

Users deposit USDC and submit a minting request
An off-chain service with a privileged private key signs off on how much USR to mint
The contract enforces a minimum USR output—but critically, no maximum
No on-chain ratio check, no price oracle, no cap

Key Lessons

Off-chain infrastructure is part of the attack surface: As DeFi systems use more external services and cloud infrastructure, the attack surface expands far beyond the blockchain itself
On-chain controls are the last line of defense: Real-time monitoring and automated response mechanisms are now a necessity—exploits unfold in minutes
Code audits aren't enough: Resolv had undergone 18 audits, but the hack came from compromised cloud infrastructure, not smart contract bugs

How It Could Have Been Prevented

Chainalysis Hexagate could have detected:

Anomalous minting events: A $100K USDC deposit authorizing 50M USR is obviously anomalous (flag at 1.5x normal ratios)
Contract event monitoring: Combined with GateSigner to automatically pause the contract before damage

Explored from Hacker News (news.ycombinator.com) | 2026-03-24