Author: The Defiant

Translation: Deep Ocean TechFlow

Introduction by Deep Ocean: This article not only reviews the Resolv vulnerability but discusses a more disturbing issue: the same attack pattern—hardcoded oracles pricing unpegged stablecoins at 1 dollar—has occurred at least four times in the past 14 months. The problem is not a technical glitch, but rather the flawed incentive structure of the curator model: risks are borne by depositors, while profits are taken by curators.

The full text is as follows:

On a quiet Sunday morning, someone turned 100,000 dollars into 25 million dollars in approximately 17 minutes.

The target was the yield-bearing stablecoin protocol Resolv. Before Resolv suspended its contract, its stablecoin USR, pegged to the dollar, had dropped to a few cents. As of the writing of this article, USR is still significantly unpegged, trading at about 0.25 dollars, having fallen more than 70% this week.

The impact goes far beyond Resolv itself. Fluid/Instadapp absorbed over 10 million dollars of bad debt in a single day, and on the same day faced over 300 million dollars of net outflow, setting a record for the largest single-day outflow in its history. Fifteen Morpho vaults were affected. Euler, Venus, Lista DAO, and Inverse Finance successively halted USR-related markets.

The mechanism that led to the spread of losses due to this vulnerability—pricing unpegged stablecoins at 1 dollar in the lending market—is not a new phenomenon. This situation has occurred at least four times over the past 14 months.

How the vulnerability works

The minting of USR follows a two-step off-chain process: users deposit USDC through the `requestSwap` function, and a privileged off-chain signing key, `SERVICE_ROLE`, finalizes the amount of USR issued through `completeSwap`. The contract has a minimum output limit but no maximum limit. Whatever the key holder signs, the contract executes.

The attacker gained access to this key through Resolv's AWS Key Management Service. They made two USDC deposits totaling about 100,000 to 200,000 dollars, then leveraged the stolen key to authorize the minting of 80 million USR in return. On-chain data shows the two transactions were for 50 million USR and 30 million USR, both completed within minutes.

"The Resolv USR vulnerability is not a bug—but rather a feature that functions as designed. That is the problem," stated on-chain analyst Vadim (@zacodil).

SERVICE_ROLE is a regular external account address, not a multi-signature. The administrator key has multi-signature protection, but the minting key does not.

"Resolv has undergone 18 audits," Vadim said, "one of which was directly called 'missing upper limit'."

The attacker methodically exited: first converting the minted USR into wstUSR (the staked wrapped version) to mitigate market impact, then trading it for ETH via Curve, Uniswap, and KyberSwap. The attacker’s wallet held approximately 11,400 ETH (about 24 million dollars). The ETH and BTC collateral pools supporting the entire system remained intact while the stablecoins collapsed.

How contagion spread

The Resolv vulnerability is actually two incidents layered on top of one another. The first was the minting vulnerability, and the second was the failure of the interconnected lending markets.

When USR and wstUSR crashed, every lending market that accepted them as collateral faced the same problem: their oracles continued to price wstUSR close to 1 dollar.

Risk analysis firm Chaos Labs founder Omer Goldberg documented this mechanism. His core finding was: "The oracle is hardcoded, thus it never reprices. wstUSR was marked at 1.13 dollars while its trading price in the secondary market was about 0.63 dollars."

Traders bought wstUSR at a low price on the open market and then used it as collateral on Morpho or Fluid at the oracle price of 1.13 dollars to borrow USDC before exiting.

At Fluid, the team raised short-term loans to cover 100% of the bad debt and promised to fully compensate every user. At Morpho, co-founder Paul Frambot stated that about 15 vaults had considerable exposure, all engaged in high-risk, long-tail collateral strategies.

Notable curator Gauntlet stated, "A few high-yield vaults have limited exposure."

But D2 Finance directly countered this claim, releasing on-chain data showing Gauntlet's flagship "USDC Core vault" allocated 4.95 million dollars to the wstUSR/USDC market. Goldberg later noted that Gauntlet vaults accounted for 98% of the lending liquidity in that market.

Frambot stated in a written response to The Defiant, "We have been exploring how to present various risks more comprehensively. However, we do not believe the core issue here is a lack of labeling."

Frambot added, "Morpho is oracle-agnostic, meaning it allows curators to choose any oracle they believe is best suited for a particular market. Morpho is open and permissionless infrastructure designed to outsource risk management to curators."

"It's challenging to enforce an objectively 'correct' barrier in every scenario," Frambot said, "imposing constraints at the protocol level also risks hindering the implementation of legitimate strategies."

While the underlying protocol leaves risk management to curators, some industry insiders feel that curators have not fulfilled their responsibilities.

"I believe the design of the curator industry is flawed because there isn't any real curation happening," Marc Zeller stated on X.

As of this writing, Resolv, Gauntlet, and Fluid have not responded to The Defiant's request for comments.

A recurring failure pattern

This is not a novel attack. In January 2025, Usual Protocol's USD0++ was hardcoded at 1 dollar by curator MEV Capital in the Morpho vault. Usual then suddenly adjusted the redemption floor to 0.87 dollars without any warning, locking lenders in the MEV Capital vault, which surged to 100% utilization.

In November 2025, Stream Finance's xUSD crashed after the curator routed USDC deposits into a leveraged loop supported by that synthetic stablecoin, putting an estimated 285 million to 700 million dollars of assets at risk when its oracle refused to update. Moonwell faced two oracle failures consecutively in October and November 2025, resulting in over 5 million dollars of bad debt.

What this means for the curator model

The architecture of Morpho outsources all risk decisions to third-party "curators", who construct vaults, select collateral, set loan-to-value ratios, and choose oracles. This theory assumes that specialized institutions possess deeper expertise, and competition can lead to better risk management, while protocols are responsible for executing the rules.

However, curators rely on the yield generated to earn fees, creating an incentive to accept higher-risk, higher-yield collateral (such as yield-bearing stablecoins). The problem is that when these stablecoins become unpegged, the losses are borne by depositors, not curators. In the Resolv incident, some curators' automated bots continued to inject funds into affected vaults hours after the vulnerability occurred, exacerbating the losses.

The reason for employing hardcoded oracles for yield-bearing stablecoins is to prevent short-term volatility from triggering unnecessary liquidations. But this protection is only effective if the stablecoins remain stable.

On-chain analytics firm Chainalysis stated in a postmortem that real-time on-chain detection capabilities are needed.

"On-chain smart contracts were operating perfectly fine. The issue clearly lies with the broader system design and off-chain infrastructure," said the analysis firm.