On March 22, 2026 an attacker used a compromised private key to authorize unbacked minting that pushed USR supply to 80 million, immediately violating the token’s overcollateralization assumption. This was not a smart‑contract flaw in the peg mechanism but a custody failure enabled by access to Resolv’s AWS Key Management Service.Chainalysis X thread
Public traces and the issuer’s statements show a short, sharp sequence: the attacker accessed the authority that signs minting, minted a large volume of USR, and then exchanged some of the illicit supply for other assets. Total minted USR tokens reached 80 million, while minting was backed by only roughly $100k–$200k in USDC deposits before controls shut the flows down.Chainalysis X thread
Resolv Labs confirmed the breach was enabled by a compromised private key and that the attacker obtained on the order of 11,400 ETH from the theft; the issuer also reported roughly $0.5M in USDC redemptions processed before the system was stopped.Resolv Labs X statement
Mechanically, the minting authority sits outside the on‑chain collateral math: USR is an overcollateralized stablecoin natively backed by ETH, but the peg and the model assume that new tokens are only issued against legitimate ETH backing. When a party with signing authority issues tokens without matching collateral, the liquidation and recovery assumptions that lenders and counterparties rely on no longer hold. In plain terms: the collateral anchor was bypassed by a custody action, so protocols treating USR as collateral could suddenly face unquantified exposure.
This incident surfaces two clear exposure channels for lenders and markets. First, any protocol or counterparty accepting USR as collateral saw the effective quality of that collateral fall because token supply no longer reflected only ETH backing. Second, the event highlights that custody and key management are the upstream control points for overcollateralized stablecoins — a failure there can negate on‑chain protections.
Both points are supported by the confirmed facts: USR’s design is ETH‑backed and overcollateralized, and the breach involved compromised signing authority that enabled large unbacked minting.
Assetify judgment: this episode revealed that custody of minting keys — and controls around services such as AWS Key Management Service — is the real pressure point for designer stablecoins that rely on off‑chain authorities. The token‑level collateral math can only secure value if the issuance authority itself is secure. For lenders and protocols, the earned lesson is specific: treat off‑chain signing and key management failures as first‑order collateral risks, not second‑order operational noise.
Because the failure mode here was an ability to create unbacked supply, the correct protective response for lenders is contractual and risk‑selection oriented — reassess whether a nominally overcollateralized stablecoin still meets counterparty‑grade collateral criteria when its issuance depends on external key custodians.
