Resolv Labs AWS KMS Exploit: How a Compromised Key Minted $25M in USR

On March 22, 2026, an attacker with access to a compromised AWS Key Management Service private key submitted roughly $100,000–$200,000 in USDC to Resolv Labs' minting contract and received 80 million USR stablecoins in return — a 400-to-1 minting ratio that the Resolv Labs AWS KMS exploit made possible because no on-chain guardrail verified the approved amount. The resulting 80% depeg of USR triggered secondary losses across Morpho Blue, Euler, and Fluid, compounding what PeckShield classified as "shadow contagion" across connected DeFi platforms.

What the Attack Vector Actually Was

Resolv Labs is a delta-neutral yield protocol that issues USR, a dollar-pegged stablecoin backed by a collateral pool that, as of the incident date, held approximately $141 million in assets according to Resolv's own post-incident disclosure. The minting mechanism relied on an off-chain service responsible for computing how many USR tokens to create in response to a deposit and signing that authorization with an AWS KMS-managed private key.

The smart contract that processed deposits accepted that off-chain signature without any on-chain verification of whether the authorized mint amount was proportional to the collateral deposited. According to the post-mortem published by Halborn on April 1, 2026, the attacker exploited this gap: by obtaining the signing key through an unspecified compromise of the AWS KMS credential, they submitted a small USDC deposit and received a vastly inflated USR authorization, which the on-chain contract honored.

Resolv Labs confirmed in its March 23 disclosure that approximately 9 million of the 80 million attacker-minted USR tokens had already been burned by the time of publication, limiting the direct financial drain to around $25 million. The remaining redemption window was paused, and only $0.5 million in redemptions had been processed before the protocol halt, per the same disclosure.

Halborn's March 2026 DeFi hacks review

The Shadow Contagion Mechanism Across Morpho, Euler, and Fluid

The term "shadow contagion," used in PeckShield's April 1 X post and picked up by The Block's reporting, describes a specific failure mode: losses that propagate across protocols that were not directly exploited but had lending positions, collateral vaults, or liquidity pools denominated in or exposed to the depegged asset.

When USR crashed approximately 80% following the exploit, platforms that had accepted USR as collateral or held USR in yield-generating positions suddenly carried bad debt — loans that were under-collateralized relative to the post-depeg value of the collateral. Morpho Blue, Euler, and Fluid each had such exposure. Fluid publicly acknowledged this on X, writing: "All other markets continue to function normally, and protocol safeguards remain active. Users may see temporary rate volatility while positions are being unwound," per CryptoRank's coverage. Multiple investors expressed interest in purchasing Fluid's treasury tokens to cover any shortfall.

This pattern — a stablecoin exploit in one protocol cascading into bad-debt positions across lending platforms that accepted that stablecoin — is structurally different from an isolated smart contract exploit. It is a systemic failure of collateral assumptions. Every protocol that used USR as an accepted collateral asset implicitly assumed USR maintained its peg, and that assumption was not protected by any circuit breaker that would suspend lending activity when USR began depegging.

Web3 Fraud Files: DeFi security incidents→ /categories/web3-fraud-files

Why AWS KMS in the Minting Stack Is a Critical Design Risk

The attack vector here is not a smart contract vulnerability in the conventional sense. There is no reentrancy, no oracle manipulation, no flash loan. The exploit is rooted entirely in key management — the off-chain service that signed minting authorizations held a private key in AWS KMS, and that key was compromised.

This creates a specific category of risk for any DeFi protocol that uses off-chain computation to authorize on-chain state changes. The pattern is common: keeper networks, liquidation bots, oracle relayers, and minting controllers frequently operate as off-chain services with keys stored in cloud key management systems. AWS KMS, GCP Cloud KMS, and similar managed services offer key rotation, audit logging, and hardware security module (HSM) backing — but they also create a dependency on centralized cloud infrastructure that holds signing authority over on-chain contracts.

The critical design failure in Resolv's case is that the smart contract lacked on-chain verification of the minting authorization. A properly designed system would require the on-chain contract to independently verify that the USDC deposited was proportional to the USR authorized — using a price oracle, a collateral ratio formula, or both — rather than trusting a signed message from an off-chain service without validation. The Halborn review confirmed that the absence of such guardrails is what allowed the disproportionate mint to succeed.

The broader implication: any protocol where an off-chain key controls minting, burning, or state changes without on-chain proportion verification carries this vector.

Q1 2026 DeFi Loss Context and What It Reveals About Systemic Maturity

According to blockchain researcher CipherResearchx, as reported by CryptoRank, Q1 2026 DeFi losses reached $137 million across 15 incidents. The Resolv hack at over $25 million is one of four major incidents, alongside Step Finance at $27.3 million, Truebit at $26.2 million, and SwapNet at $13.4 million. For comparison, DeFi-specific losses in Q1 2025 were approximately $106.8 million, per Immunefi data cited in the same report — meaning the 2026 pace has already exceeded the prior year's first-quarter figure.

PeckShield's March 2026 analysis counted 20 separate crypto hack incidents totalling $52 million, a 96% spike from February's $26.5 million. CertiK's parallel count placed March losses at $59.5 million across the full crypto attack surface, with the recovery total a negligible $21,900 — a recovery rate of less than 0.04%.

The Resolv incident demonstrates a maturing attack sophistication that the industry's current audit framework does not fully capture. Standard smart contract audits review on-chain code. They do not audit the off-chain services that authorize on-chain operations, the key management practices of those services, or the absence of on-chain validation of off-chain inputs. Resolv's smart contract may have passed a standard audit without the core vulnerability being flagged.

PeckShield March 2026 hack report via The Block

Builder Decision Framework: Key Management and On-Chain Verification

For protocol developers, the Resolv exploit produces a specific checklist item: any off-chain service that signs minting, burning, or privileged state-change transactions must be paired with on-chain verification that the authorized amounts are proportional to the deposited collateral or triggering input.

The steps are:

1. Audit every off-chain signer in the protocol's operational stack. Identify which ones have unilateral minting or burning authority.

2. Implement on-chain proportion checks. If a deposit of X USDC should authorize Y USR, the smart contract should compute and enforce that ratio independently — not accept it from a signed message.

3. Implement mint circuit breakers. A hard cap on the maximum USR mintable per block or per transaction would have limited the attack to the cap value regardless of what the compromised key signed.

4. Treat cloud KMS as a co-signer, not a sole authority. Multi-party computation (MPC) wallets, threshold signatures across multiple independent signers, or HSM-backed cold storage for minting keys all reduce the single-point-of-failure risk that AWS KMS alone carries.

5. Model cross-protocol exposure before accepting a new collateral asset. The Morpho, Euler, and Fluid bad debt situations arose because each platform's risk parameters allowed significant USR exposure without a kill switch tied to USR depeg events.

IoTeX, one of the other February 2026 exploit victims, opened a full 100% compensation claims portal as of late March — the exception rather than the rule in DeFi exploit recoveries, according to CoinGenius. Resolv confirmed it would restore pre-incident redemptions for eligible holders, but the full post-mortem mechanism for distinguishing attacker-minted USR from legitimate holder USR remained under investigation as of its March 23 update.

Web3 Builder security frameworks→ /categories/web3-builder

Watch for Resolv's full post-mortem publication — unconfirmed at the time of writing — which is expected to disclose the specific AWS KMS compromise vector and whether the breach originated from a credential leak, a supply chain attack, or a social engineering event. That disclosure will determine whether this attack class requires a protocol-level fix, a cloud infrastructure fix, or both, and will directly inform the audit scope that security firms apply to off-chain minting services in future engagements.