coin-img-ETHETH-0.03%coin-img-BTCBTC-0.04%coin-img-SOLSOL-1.71%coin-img-XRPXRP-0.94%coin-img-USDCUSDC+0.01%coin-img-KFCKFC+0.00%coin-img-SIRENSIREN-5.41%coin-img-DOGEDOGE-1.11%coin-img-ETHETH-0.03%coin-img-BTCBTC-0.04%coin-img-SOLSOL-1.71%coin-img-XRPXRP-0.94%coin-img-USDCUSDC+0.01%coin-img-KFCKFC+0.00%coin-img-SIRENSIREN-5.41%coin-img-DOGEDOGE-1.11%coin-img-ETHETH-0.03%coin-img-BTCBTC-0.04%coin-img-SOLSOL-1.71%coin-img-XRPXRP-0.94%coin-img-USDCUSDC+0.01%coin-img-KFCKFC+0.00%coin-img-SIRENSIREN-5.41%coin-img-DOGEDOGE-1.11%coin-img-ETHETH-0.03%coin-img-BTCBTC-0.04%coin-img-SOLSOL-1.71%coin-img-XRPXRP-0.94%coin-img-USDCUSDC+0.01%coin-img-KFCKFC+0.00%coin-img-SIRENSIREN-5.41%coin-img-DOGEDOGE-1.11%

Resolv Postmortem: Credential Abuse Led to 80M USR Mint and $25M ETH Loss

Resolv says a coordinated attack on March 22, 2026 enabled intruders to obtain signing authority, mint 80 million USR, and rapidly swap the proceeds into ETH, draining about $25 million. The protocol's post-incident report describes a multi-stage compromise spanning GitHub, cloud environments, and exposed API keys. Resolv said direct production code deployment was blocked by safeguards, prompting the attackers to shift to a malicious workflow that quietly exfiltrated sensitive credentials. Resolv traced the initial access to a compromised third-party project connected to a contractor account. The attackers used the resulting GitHub credentials to enter internal repositories, then pivoted into cloud systems to map infrastructure and hunt for API keys. They ultimately escalated privileges by altering access policies tied to a signing key, giving them the ability to approve mint operations. With signing control in hand, the attackers executed a first mint at 02:21 UTC for 50 million USR, then began routing tokens through multiple wallets and decentralized exchanges to convert into ETH. A second transaction at 03:41 UTC minted another 30 million USR. Resolv said the conversion and extraction unfolded over roughly 80 minutes. Monitoring tools flagged unusual activity early, triggering an incident response that included halting backend services and preparing contract pauses. Resolv said it revoked compromised credentials by 05:30 UTC, cutting off the attackers' access, and paused relevant smart contracts while shutting down affected infrastructure. After containment, the protocol neutralized about 46 million USR via token burns and blacklist controls. Resolv said pre-hack USR holders are being made whole, with most redemptions already processed. External responders Hypernative, Hexens, MixBytes, and SEAL 911 are supporting the investigation. Additional reviews involving Mandiant and ZeroShadow are focused on infrastructure hardening and fund tracing. Resolv said operations remain paused as forensics and system upgrades continue.
Selected
ETH
ETH-0.12%
RESOLV
RESOLV-4.11%
Disclaimer: The content above is only the author's opinion and does not represent BingX’s stance. It shall not be construed as investment advice from BingX. For details, refer to the Terms and Conditions.