GM, Aleks here.

This weekend’s Resolv hack has cast another harsh spotlight on risk management in DeFi, where Murphy’s Law seems to reign.

The adage goes, “Whatever can go wrong will go wrong.” Protocol developers know this, and they spend a fortune on code audits and risk analyses. And still, they get hacked.

Resolv hired Steakhouse Financial to serve as its risk manager. Just five days before the exploit, Steakhouse published an “economic and operational overview” of Resolv. As of Sunday, that overview includes the following note at the very top: “Unfortunately, one of the risks we highlighted in the below report materialised.”

As a refresher, Resolv’s attacker created $80 million in unbacked USR stablecoins after gaining access to the project’s private keys. As the attacker converted those tokens into Ether, USR’s peg collapsed, and they ultimately made off with just $23 million in crypto.

USR, which is supposed to stay pegged to $1, is currently trading just above 20 cents. Its mint and redeem functions have been turned off to mitigate further damage.

But Resolv Labs and USR holders weren’t the only victims of the exploit, as my colleague Liam Kelly noted in his coverage of the exploit. 

Several protocols had integrated USR. Many of these protocols use a so-called curator model in which third-party asset managers create bespoke lending markets, allowing them to serve a wide range of lenders and borrowers. 

“The Resolv hack isn't just another exploit — it's a structural failure in how DeFi prices risk,” Kevin Yang, a managing partner at Gate Ventures, wrote on X. “You can't scale TVL to the trillions with duct-taped security.”

DeFi risk ratings firm Credora, which previously gave USR a junk rating, said the exploit touched on two issues.

“The proximate cause of the exploit was high operational risk from a single privileged access key with substantial, unchecked minting authority,” it wrote in its analysis of the incident.

“That was compounded by the absence of onchain safeguards that could have contained the damage even if the key were compromised.”

Part of the issue is that DeFi audits don’t always check for this vulnerability.

“Resolv’s smart contracts had received multiple audits from well-regarded security firms, none of which identified the privileged key vulnerability prior to the exploit,” Credora wrote.

So, what’s next?

Users have been encouraged to remove liquidity from affected vaults lest they face further losses. And Resolv has messaged the hacker, offering to end its pursuit in exchange for return of 90% of the Ether. It gave the hacker a Thursday deadline to comply.

Still, it couldn’t have come at a worse time for the industry, which is seeing widespread layoffs and poor price action despite regulatory tailwinds in the US. 

“It’s feeling really dark in DeFi right now,” Jai Bhavnani, CEO of crypto company Waymont, wrote on X. “The Resolv hack felt like the final nail in the coffin. LPs are realising most protocols are too much risk, too little reward.”

Top DeFi stories of the week 🤖 

Latest from DL Research

This week in DeFi governance ⚖️ 

PROPOSAL: Aave DAO considers activation of Aave v4 on Ethereum

VOTE: Spark votes to adopt a risk curation framework

PROPOSAL: Arbitrum DAO considers updating code of conduct and DAO procedures

Post of the week 💥

Some prediction market users have a remarkable record of making huge bets on geopolitics that pay off within minutes. Nobody’s happy.

Got a tip about DeFi? Reach out at [email protected]

DL News is an independent news organisation that provides original, in-depth reporting on the largely misunderstood world of cryptocurrency and decentralised finance. From original stories to investigations, our journalism is accurate, honest and responsible.

Forwarded by a friend? Subscribe here.