Stablecoin Mint Path Auditing: A 12-Point Security Checklist After the $25M USR Exploit

Hours ago, Resolv Labs' USR stablecoin suffered a $25M exploit. An attacker deposited ~$100K USDC and minted 80 million unbacked USR tokens through a flawed two-step mint process. The root cause? The completeSwap function blindly trusted a _mintAmount parameter without cross-validating it against the actual collateral deposited in requestSwap . This isn't an isolated pattern. Stablecoin minting bugs have been responsible for some of the largest DeFi exploits in history — from the Wormhole bridge mint ($320M), to Cashio's infinite mint ($52M), to today's USR disaster. Yet most audit checklists treat minting as a simple "check the access control" box. After analyzing every major stablecoin mint exploit since 2022, here's the systematic checklist I use when auditing mint paths. The 12-Point Stablecoin Mint Path Checklist 1. Enumerate Every Mint Path The bug: Protocols often have "the" mint function, plus emergency mints, bridge mints, migration mints, and admin mints scattered across the