The Resolv USR Exploit: How a $100K Deposit Minted 80 Million Unbacked Stablecoins and Crashed USR 75%

TL;DR On March 22, 2026, an attacker deposited ~$100,000 USDC into Resolv's USR stablecoin protocol and minted approximately 80 million unbacked USR tokens — a 500x amplification. The attacker drained ~$25 million by swapping through DEXs, crashing USR to $0.25. The root cause: the completeSwap function blindly trusted a _mintAmount parameter from an off-chain service without on-chain validation. This is a textbook case of the trusted oracle anti-pattern — and it happened in production, today. The Attack Flow Phase 1: Minimal Collateral Deposit The attacker address 0x04A288a7789DD6Ade935361a4fB1Ec5db513caEd deposited approximately 100,000 USDC into the USR Counter contract via the requestSwap function. This is a standard entry point — nothing unusual here. Phase 2: The Amplified Mint Here's where the vulnerability kicks in. The completeSwap function processed the request and authorized minting of 49.95 million USR tokens — roughly 500x the deposited collateral. A second transaction min