Resolv hack shows DeFi learned nothing from last contagion

Sunday’s $23 million hack of Resolv’s stablecoin USR has led to contagion across the DeFi sector.

Opportunistic traders used depegged USR to borrow against, draining liquidity in over a dozen yield vaults.

To make things worse, so-called “risk curators” then automatically allocated more funds to broken markets as lending rates spiked.

In November, a similar contagion hit DeFi’s “curated” vault ecosystem after Stream Finance announced a $93 million loss, leading to a 75% of xUSD.

Despite discussions of risk ratings and curators putting up first-loss capital in the aftermath, it appears not much was learned, after all.

Read more: Four months on, MEV Capital falls victim to $4B DeFi daisy chain implosion

The hack

Resolv Labs’ statement confirmed that a private key compromise led to the unauthorized (and unrestricted) “minting of approximately $80 million of uncollateralized USR.”

USR’s pre-hack token supply remains fully backed, with losses coming from liquidity providers (LPs) on decentralized exchanges as the hacker sold the minted tokens. For example, LPs on Curve Finance alone are estimated to have lost $17 million.

The hacker’s sell-off caused a depeg of USR, which is currently trading at $0.23, according to CoinMarketCap data. Blockchain security firm Beosin puts the attacker’s profits at 11,409 ether (ETH), worth over $23 million at the time of writing.

The Resolv team faced criticism for a slow response time while collecting the necessary multisig signatures to pause the protocol.

It has contacted the exploiter on-chain, requesting return of 90% of the converted ETH, as well as the remaining USR.

Read more: Venus Protocol hacker lost $4.7M after nine months of planning

The fallout

The hack may have been simple, but the knock-on effects have been anything but.

Depegged USR was pounced upon by opportunistic traders who used it to drain yield vaults with hardcoded price oracles. In buying cheap USR to use as collateral, users could borrow other assets, such as USDC, as if USR were still worth $1.

Read more: Oracle error adds to turmoil at DeFi giant Aave

As if things weren’t bad enough, “risk curators” automated strategies then allocated further funds to the affected markets, whose high utilization had spiked supply yields.

Chaos Labs’ Omer Goldberg explained how Morpho’s Public Allocator feature allowed curators “including Gauntlet, re7, kpk, and 9summits” to autoallocate millions of dollars worth of assets into markets “based on pre-configured and approved caps and credit lines.” 

In some cases, Goldberg says, allocation into broken vaults continued for hours.

The chaos also brought innovation, however, as the auto-allocations were even specifically targeted to free up additional liquidity. Enterprising competitors Obsidian also capitalized on the incident, offering a migration service to users whose deposits are stuck in illiquid Morpho vaults

Assessing the damage

Morpho’s Paul Frambot tallied 15 affected vaults with over $10,000 of exposure to USR.

According to security researcher Weilin Li, curators of the affected vaults, on Morpho and elsewhere, include Gauntlet, Re7, MEV Capital, Extrafi, Seamless, August, Clearstar, kpk, Leyrock and 9Summits. 

For those who followed November’s collapse, many of these names may be familiar.

Yearn, whose contributors were amongst the harshest critics of the yield vaults which led to November’s crash, suffered a minimal loss of $377.

Ironically (or tellingly), Resolv’s own risk manager, Steakhouse, wasn’t exposed to USR, despite stating that “operationally, Resolv demonstrates institutional rigor” just five days before the hack.

The backing of Inverse Finance’s DOLA stablecoin was indirectly exposed to the depeg of USR, with the team pledging to patch the $340,000 hole.

A number of lending markets paused USR markets, including Venus Protocol, which was itself hacked last weekend, and Lista. 

Fluid was the worst hit, and may have accrued up to $17.5 million of bad debt. However, the team reassured users that it had “secured short-term loans to cover 100% of the bad debt.”

It also considers selling FLUID tokens “should any additional funds be required.”

Following a dicey few months for top dog lending protocol Aave, with governance drama and an oracle mishap, Aave Labs’ Stani Kulechov was keen to highlight Aave’s lack of exposure.

DeFi daisy chain

The web of platforms affected by the compromise of a single private key is a stark reminder of how one of DeFi’s key innovations, interoperability, is a double-edged sword.

Automated allocation may optimize returns under normal conditions, but when things break, which they often do in DeFi, unintended behavior follows.

Without their own funds in play, the current setup incentivises “malicious game theory pushing [curators] to seek more risk.”

This latest episode has renewed calls for curators to have skin in the game. One approach is tranching of deposits, with curators set to lose out first should their risk be improperly “curated.”

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.