🧵1/ ⚠️ Exploit Analysis: $80M Loss in Resolv Labs Attack Earlier today,@ResolvLabs was exploited due to a failure in its centralized parameter validation mechanism. With just ~$200K in capital, the attacker minted 50M and 30M USR using $100K USDC each, leading to a total loss of around $80M. Following the incident, the stablecoin $USR briefly depegged to $0.051.

🧵2/ Attack Mechanism The completeSwap function in Resolv Labs’ #TheCounter contract allows the amount of $USR minted to be determined via the _targetAmount parameter.

🧵3/ The completeSwap function checks that the caller address (msg.sender) must hold the SERVICE_ROLE. This means that after a user submits a swap transaction, the project team needs to perform a centralized validation of parameters such as _targetAmount, and only after confirming correctness will they call this function to complete the transaction. Based on the two attack transactions, $100K USDC corresponded to _targetAmount values of 50M and 30M USR, respectively. It is evident that the project’s _targetAmount validation mechanism failed. Since the _targetAmount validation is centralized and not open-source, the root cause cannot be determined at this stage. Possibilities such as insider involvement, compromise of the centralized system, or leakage of the SERVICE_ROLE private key cannot be ruled out.

2/ Attack Mechanism The completeSwap function in Resolv Labs’ #TheCounter contract allows the amount of $USR minted to be determined via the _targetAmount parameter.