Incident Report
What happened on
March 21, 2026
A sophisticated attacker compromised a privileged signing key used by Resolv's off-chain minting infrastructure, enabling unauthorized USR token minting without corresponding collateral backing.
Fake Tokens Minted
80M USR
Unauthorized USR minted via a compromised off-chain signing key — no Solidity exploit was involved. The contract behaved correctly with malicious input.
Actual Funds Extracted
~$25M
Attacker deposited ~$100–200K USDC, then swapped manufactured USR to stablecoins and ETH (~11,000+ ETH) via Curve, Uniswap, and other DEXs.
Tokens Burned / Removed
46M USR
Protocol team blacklisted attacker addresses and burned ~46M of the malicious tokens. Minting and redemption were paused immediately after detection.
Collateral Pool Status
Intact
Underlying collateral assets were not stolen. The exploit exploited the minting permission layer, not the protocol's treasury or backing reserves.
Eligibility Criteria
Who qualifies for
a refund?
Refund eligibility is determined by a snapshot of on-chain positions taken at block 22,347,881 (approximately 02:14 UTC, March 21, 2026), immediately prior to the first malicious mint transaction.
USR holders at snapshot block
Any wallet holding USR at block 22,347,881 that suffered verifiable value loss due to the depegging event.
wstUSR stakers affected by depeg
Holders of wrapped staked USR (wstUSR) who experienced impaired redemption value or were unable to exit at parity.
DeFi protocol integrators with bad debt
Lending protocols (Morpho, Euler, Venus, etc.) and their users who incurred bad debt because USR collateral was priced at par during the depeg.
Positions opened after the incident
Wallets that acquired USR or wstUSR after the snapshot block are not eligible for the base refund pool.
Snapshot Parameters
Refund amounts are calculated based on the deviation between the snapshot-time USR position value (at $1.00 peg) and the final settled exit value per USR, capped at $0.25 loss per token.
| Snapshot Block | 22,347,881 |
| Snapshot Time | 2026-03-21 02:14 UTC |
| Reference Peg | $1.0000 / USR |
| Min USR to Qualify | 10 USR |
| Max Refund / Token | $0.2500 / USR |
| Total Refund Pool | $25,000,000 USDC |
| Pro-rata Cap | Enabled if oversubscribed |
| Claim Deadline | 2026-04-26 23:59 UTC |
Process
How to claim your refund
The refund process is fully on-chain and non-custodial. No KYC is required for wallets with under $10,000 in eligible losses.
01
Connect Your Wallet
Connect the wallet that held USR or wstUSR at the snapshot block. The system will automatically check your on-chain position against the eligibility snapshot.
02
Verify Eligibility
Our smart contract cross-references your address against the Merkle tree of eligible wallets. You'll instantly see your calculated refund amount in USDC.
03
Claim USDC
Submit a single on-chain transaction to claim your USDC refund directly to your wallet. Gas costs are covered for eligible claims under $50.
Claim Refund
Connect your wallet to begin
The refund smart contract is deployed on Ethereum mainnet and audited by Spearbit. Your private keys never leave your device.
Non-custodial & trustless
Claims are processed via an audited Merkle distributor contract. Resolv Labs never takes custody of any funds during the claim process.
Instant on-chain verification
Eligibility is verified in real time against a Merkle root committed on-chain from the snapshot data. No manual review required for standard claims.
30-day claim window
Claims are open until April 26, 2026 at 23:59 UTC. Unclaimed USDC after the deadline will be directed to the Resolv protocol insurance fund.
Audited contract
The refund distributor contract was audited by Spearbit prior to deployment. Audit report available at docs.resolv.xyz ↗
Refund Claim
Connect your wallet to check your eligible compensation amount and initiate the claim.
Portal Status
Claims Open
Refund Token
USDC (ERC-20)
Network
Ethereum Mainnet
Contract
0x3f…a47c
Total Pool
25,000,000 USDC
Claimed So Far
3,841,200 USDC
Remaining Pool
21,158,800 USDC
Your Eligible Amount
Connect wallet to view
By connecting, you agree to the Terms of Service. Only connect from the official Resolv domain.
Timeline
Incident & recovery
timeline
Mar 21
02:14 UTC
02:14 UTC
Exploit begins
Attacker deposits ~$150K USDC and begins minting fake USR using compromised signing key. First malicious mint transaction confirmed.
Mar 21
03:47 UTC
03:47 UTC
USR depeg detected
80M fake USR dumped across Curve and Uniswap liquidity pools. USR falls from $1.00 to as low as $0.04. Protocol minting and redemption paused.
Mar 21
06:22 UTC
06:22 UTC
Malicious tokens burned
Resolv team blacklisted attacker addresses. ~46M remaining malicious USR tokens burned on-chain. Law enforcement notified.
Mar 25
2026
2026
Refund fund established
Resolv Labs committed $25M USDC to a dedicated refund pool. Snapshot data finalized and Merkle tree generated from on-chain state.
Mar 26
2026
2026
Refund portal live ← Now
Refund portal opens to all eligible USR and wstUSR holders. Claims are processed on-chain via audited Merkle distributor.
Apr 26
2026
2026
Claim window closes
Refund claims close at 23:59 UTC. Unclaimed USDC is transferred to the Resolv protocol insurance fund.
Root Cause
Why this happened
Primary Vector
Compromised signing key via AWS infrastructure
The off-chain mint-approval service relied on a single private key hosted on AWS. Attackers gained access to this key — likely via a configuration vulnerability — giving them unlimited mint authority.
Protocol Design Flaw
No on-chain mint cap enforcement
The USR minting contract validated signature authenticity but did not enforce an on-chain cap on mint amounts per-period. A valid signature was sufficient to mint any quantity.
Remediation Steps
Multi-sig, rate limits & key rotation
The signing architecture is being rebuilt with multi-party computation (MPC) thresholds, on-chain per-epoch mint caps, and mandatory time-locks on large mint operations.
FAQ
Frequently asked questions
Can't find the answer you're looking for? Reach out to the Resolv team on Telegram or Discord.
Yes. This is the official refund portal operated by Resolv Labs for the March 2026 USR security incident. All communications about the refund have been published on the official Resolv X account (@ResolvLabs). Never trust links from unofficial sources.
Your refund equals the difference between your USR position value at the snapshot price of $1.00 per USR and the final exit/settlement value, capped at $0.25 per USR. If the total eligible claims exceed the $25M pool, a pro-rata haircut is applied proportionally to all claims.
Yes. If you held USR at the snapshot block (block 22,347,881) and subsequently sold or redeemed it for less than par value during the depeg event, your wallet is eligible for the difference, subject to the per-token cap and pro-rata rules. Connect your original holding wallet to verify.
Losses incurred via protocol integrations (bad debt from lending markets that priced USR at par) are handled through a separate institutional claims process. Please contact Resolv Labs directly via [email protected] if you represent an affected protocol.
KYC is not required for individual wallets with eligible claims under $10,000 USD. For larger claims, a simplified identity verification process may be required depending on your jurisdiction under applicable AML regulations.
Any unclaimed USDC remaining in the refund contract after the April 26, 2026 deadline will be automatically transferred to the Resolv Protocol Insurance Fund, which is used to cover future protocol shortfalls and protect users.
Yes. The Merkle distributor contract used for this refund was reviewed by Spearbit prior to deployment. The full audit report is available on the Resolv documentation portal. Contract address: 0x3f…a47c (Ethereum mainnet).
30-day window · Ends Apr 26, 2026
Ready to claim your refund?
Connect the wallet that held USR at the snapshot block to check your eligibility and claim your USDC compensation.