Sunday’s $23 million hack of Resolv’s stablecoin USR has led to contagion throughout the DeFi sector.
Opportunistic merchants used depegged USR to borrow towards, draining liquidity in over a dozen yield vaults.
To make issues worse, so-called “risk curators” then routinely allotted extra funds to damaged markets as lending charges spiked.
In November, an identical contagion hit DeFi’s “curated” vault ecosystem after Stream Finance introduced a $93 million loss, resulting in a 75% of xUSD.
Regardless of discussions of threat rankings and curators placing up first-loss capital within the aftermath, it seems not a lot was discovered, in any case.
The hack
Resolv Labs’ assertion confirmed {that a} personal key compromise led to the unauthorized (and unrestricted) “minting of approximately $80 million of uncollateralized USR.”
USR’s pre-hack token provide stays totally backed, with losses coming from liquidity suppliers (LPs) on decentralized exchanges because the hacker offered the minted tokens. For instance, LPs on Curve Finance alone are estimated to have misplaced $17 million.
The hacker’s sell-off brought about a depeg of USR, which is at present buying and selling at $0.23, in response to CoinMarketCap knowledge. Blockchain safety agency Beosin places the attacker’s income at 11,409 ether (ETH), price over $23 million on the time of writing.
The Resolv staff confronted criticism for a gradual response time whereas accumulating the required multisig signatures to pause the protocol.
It has contacted the exploiter on-chain, requesting return of 90% of the transformed ETH, in addition to the remaining USR.
The fallout
The hack might have been easy, however the knock-on results have been something however.
Depegged USR was pounced upon by opportunistic merchants who used it to empty yield vaults with hardcoded value oracles. In shopping for low cost USR to make use of as collateral, customers may borrow different property, akin to USDC, as if USR had been nonetheless price $1.
50 milly minted to some random pockets and began dumping
morpho markets more likely to have some problem with debt as degens had been in a position to purchase low cost wstUSR and borrow USDC in mounted fee markets
in the meantime gauntlet bots rush to provide extra to a damaged market… https://t.co/NjssqaWnbn pic.twitter.com/kSSmInioKE
— Togbe (@Togbe0x) March 22, 2026
As if issues weren’t dangerous sufficient, “risk curators” automated methods then allotted additional funds to the affected markets, whose excessive utilization had spiked provide yields.
Chaos Labs’ Omer Goldberg defined how Morpho’s Public Allocator function allowed curators “including Gauntlet, re7, kpk, and 9summits” to autoallocate tens of millions of {dollars} price of property into markets “based on pre-configured and approved caps and credit lines.”
In some instances, Goldberg says, allocation into damaged vaults continued for hours.
The chaos additionally introduced innovation, nevertheless, because the auto-allocations had been even particularly focused to unlock extra liquidity. Enterprising opponents Obsidian additionally capitalized on the incident, providing a migration service to customers whose deposits are caught in illiquid Morpho vaults
Assessing the harm
Morpho’s Paul Frambot tallied 15 affected vaults with over $10,000 of publicity to USR.
Based on safety researcher Weilin Li, curators of the affected vaults, on Morpho and elsewhere, embrace Gauntlet, Re7, MEV Capital, Extrafi, Seamless, August, Clearstar, kpk, Leyrock and 9Summits.
For individuals who adopted November’s collapse, many of those names could also be acquainted.
Yearn, whose contributors had been amongst the harshest critics of the yield vaults which led to November’s crash, suffered a minimal lack of $377.
Mockingly (or tellingly), Resolv’s personal threat supervisor, Steakhouse, wasn’t uncovered to USR, regardless of stating that “operationally, Resolv demonstrates institutional rigor” simply 5 days earlier than the hack.
The backing of Inverse Finance’s DOLA stablecoin was not directly uncovered to the depeg of USR, with the staff pledging to patch the $340,000 gap.
Quite a lot of lending markets paused USR markets, together with Venus Protocol, which was itself hacked final weekend, and Lista.
Fluid was the worst hit, and will have accrued as much as $17.5 million of dangerous debt. Nonetheless, the staff reassured customers that it had “secured short-term loans to cover 100% of the bad debt.”
It additionally considers promoting FLUID tokens “should any additional funds be required.”
DeFi daisy chain
The online of platforms affected by the compromise of a single personal secret is a stark reminder of how considered one of DeFi’s key improvements, interoperability, is a double-edged sword.
Automated allocation might optimize returns underneath regular circumstances, however when issues break, which they typically do in DeFi, unintended habits follows.
With out their very own funds in play, the present setup incentivises “malicious game theory pushing [curators] to seek more risk.”
This newest episode has renewed requires curators to have pores and skin within the recreation. One strategy is tranching of deposits, with curators set to lose out first ought to their threat be improperly “curated.”
