Tldr:
- Attackers illegally minted 80 million USR tokens by taking over Resolv’s off-chain signing infrastructure on March 22, 2026.
- The hacked contractor’s GitHub credentials from a third-party project served as an initial entry point into Resolv’s systems.
- About 46 million illicitly minted USRs were neutralized through direct burning and blacklisting after a period of time.
- Resolv now offers on-chain mint caps, OIDC-based authentication, and automatic pause mechanisms to prevent future breaches.
Solution protocol It fell victim to a sophisticated cyber attack on March 22, 2026, resulting in a loss of $25 million. Attackers exploited off-chain signing infrastructure to mint 80 million USR tokens without proper authorization.
The breach was detected across multiple organizations and infrastructure layers. Resolv has since contained the attack, revoked all compromised credentials, and temporarily halted most protocol operations.
USR holders are compensated prior to the hack on a 1:1 basis, with most redemptions already processed.
How attackers went from third-party compromise to Resolv platforms
The attack started outside of Resolv’s entire infrastructure. A contractor had previously contributed to a third-party project that was hacked separately.
The attackers obtained the GitHub credentials associated with that contractor’s account. These single credentials opened a door to Resolv code repositories.
Once inside, the attackers deployed the malicious GitHub workflow. This workflow quietly extracted sensitive infrastructure credentials without triggering outbound network detection.
solution It was confirmed in her autopsy That the attackers “removed their access from the repository to reduce their criminal footprint” after pulling those credentials.
The extracted credentials then gave them access to the Resolv cloud environment. over several days, attackers Performed quiet reconnaissance, mapping services, and verification of API keys associated with third-party integrations. They worked systematically before moving towards implementation.
Obtaining the authority to sign a mint key was not easy. Multiple escalation attempts failed due to existing access controls.
As Resolv’s post-mortem noted, the attackers eventually used the “higher-privilege role’s policy management capabilities to directly modify the key access policy, granting themselves signing authority.”
How has the protocol responded and what changes are now underway
Real-time monitoring indicated the first anomalous transaction within approximately one hour of the initial minting. The team then began preparing to pause contracts, stop back-end services, and revoke the compromised credentials. At 05:16 UTC, all relevant smart contracts with the pause function were completely stopped on the chain.
By 05:30 UTC, the revoked credentials completely cut off the attackers’ access to the cloud. “Forensic records confirm that the attackers were active as of 05:15 UTC,” Resolv noted, meaning containment occurred while the threat was still present. About 46 million of the 80 million illegally minted USRs have since been neutralized through burns and blacklisting.
Resolv has hired several outside companies to help with the recovery. These solutions include Hexens for infrastructure forensics, MixBytes for smart contract auditing, SEAL 911 for emergency coordination, and Hypernative for real-time monitoring. Mandiant and ZeroShadow are also set to join the wider investigation.
Going forward, Resolv plans to replace CI/CD credentials with OIDC-based credentials Authentication. The team stated that it is “implementing on-chain mints and oracle-based price validation for mining operations” as part of its remediation plan.
Automated emergency pause mechanisms linked to live monitoring are also being developed to prevent similar delays in incident response in the future.
