The stablecoin USR, issued by Resolv Labs, has lost its peg to the U.S. dollar following a major security exploit that allowed an attacker to mint tens of millions of unbacked tokens. The incident began on Sunday, March 22, 2026, when on-chain data revealed an attacker was able to mint 50 million USR by depositing only $100,000 worth of USDC.
Resolv Labs confirmed the exploit via X, stating it had paused all protocol functions to prevent further malicious actions and was actively working on recovery. Blockchain security firm PeckShield later reported the attacker minted an additional 30 million USR tokens, bringing the total suspected minted amount to approximately $80 million worth of USR.
Crypto fund D2 Finance analyzed the attack, suggesting the minting function on USR's contract was fundamentally broken. "Either the oracle was gamed, the off-chain signer was compromised, or the amount validation between request and completion is simply missing," the firm stated.
The attacker moved swiftly to cash out, transferring the 50 million newly minted USR to multiple decentralized finance (DeFi) protocols. There, they swapped the tokens for stablecoins USDC and USDT before "aggressively" converting them to Ether (ETH). D2 Finance described the exit as a "textbook DeFi hack cashout running at full speed."
The massive sell pressure caused USR to depeg dramatically. On the Curve Finance pool—USR's most liquid pool with a 24-hour volume of $3.6 million—the token's price against USDC flash-crashed to a low of $0.025 just 17 minutes after the initial mint. D2 Finance estimated the attacker extracted around $25 million from the attack as liquidity dried up and slippage worsened, with USR selling as low as 50 cents on some trades.
According to CoinGecko, USR is currently trading around $0.87, approximately 13% below its $1 peg, though it had fallen as low as $0.06 according to other reports. The Curve pool has partially recovered, with USR trading at 84.5 cents. Aave, a leading DeFi protocol, issued a statement clarifying it has no exposure to Resolv Labs' USR.
This exploit follows a broader trend where crypto-related hacks declined sharply in February, with $49 million lost compared to $385 million in January, as attackers shift focus to phishing scams over protocol exploits.
