Wednesday, April 8, 2026

Three hundred thousand dollars walked into a protocol holding $141 million. Eighty million unbacked stablecoins walked out.

The official post-mortem would later reveal a supply chain attack; the breach began not inside Resolv, but at a third-party project where a contractor had previously worked.

A compromised GitHub credential opened a door, a malicious CI/CD workflow silently exfiltrated signing credentials, and days of quiet reconnaissance inside Resolv's cloud infrastructure ended with a single key in the wrong hands.

That key, stored inside Resolv's cloud infrastructure, handed an attacker unlimited minting authority over Resolv Labs' USR stablecoin - no multisig required, no oracle check, no on-chain ceiling on what could be printed.

The contract didn't malfunction. It performed exactly as designed, which is precisely the problem.

By morning, roughly $25 million in ETH was consolidated in a single attacker wallet, and a protocol that had cleared $684 million in TVL more than a year prior, was sitting frozen, its mint and redeem functions indefinitely off.

The collateral pool, Resolv would later insist, was never touched, a technically accurate statement that will be cold comfort to anyone who held USR at a dollar and watched it reprice to spare change.

When the architecture assumes the supply chain is secure, what exactly happens to everyone who trusted the architecture?

Read more »

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.