The decentralized finance sector suffered two major security breaches on May 27, 2026, highlighting persistent vulnerabilities in protocol design and key management. The Resolv Foundation unveiled a recovery plan after a smart contract exploit allowed an attacker to mint ~80 million USR tokens, causing an estimated $25 million loss. Simultaneously, the deployer wallet of Stake DAO on the Arbitrum network was compromised, leading to the unauthorized minting of 5.4 trillion vsdCRV tokens, swiftly swapped for approximately 43.7 ETH (~$90,000).
Resolv Foundation’s tiered compensation strategy: Users holding USR or wrapped staked USR (wstUSR) before the exploit can exchange their tokens for USDC at a 1:1 ratio based on a pre‑incident snapshot. Tokens acquired after the breach will be exchanged at 1:0.5 to discourage speculation. Additionally, RLP (Resolv Liquidity Provider) token holders will receive 0.71 USDC per RLP plus extra RESOLV tokens at $0.03 each. The foundation aims to stabilise the ecosystem and rebuild trust, subject to community feedback.
Stake DAO’s private key leak: The attacker gained control of the deployer key on Arbitrum, minted the massive vsdCRV supply, and traded it for ETH. The incident underscores the danger of single‑key operational control, as no multi‑signature or governance delay prevented the mint. While immediate financial loss was limited, the exploit undermines confidence in vsdCRV and Stake DAO’s overall security posture.
Both events illustrate the continuing challenge of securing DeFi protocols. The Resolv Foundation’s structured recovery plan and Stake DAO’s breach reinforce calls for stronger key management and rigorous audits across the industry.
