A single wallet with god-mode minting privileges just torched $25 million and reminded everyone that "decentralized" stablecoins can still have central points of catastrophic failure.

The Summary

  • An attacker exploited Resolv's USR stablecoin, minting 80 million unbacked tokens and extracting roughly $25 million before the peg collapsed.
  • The vulnerability: a privileged minting role controlled by one externally owned account (EOA) with no mint limits, no oracle checks, no multisig, no timelock.
  • The lesson is older than Bitcoin: single points of control will eventually get exploited, especially when they can print money without verification.

The Signal

This isn't a complex exploit. No zero-day vulnerability, no sophisticated flash loan attack, no novel MEV trick. Someone with access to a privileged minting function used it exactly as designed, just without permission or backing. The flaw was architectural: analysts traced it to a single EOA that could mint unlimited tokens with no oracle price checks, no reserve verification, no governance delays.

For context, this is the equivalent of giving one person the keys to the Federal Reserve's printing press with a Post-it note that says "please don't abuse this." In 2026, after Terra/Luna, after multiple bridge hacks, after years of hard-won lessons about custody and key management, a stablecoin project still launched with a single-wallet god mode.

The attacker minted 80 million USR tokens that had zero collateral backing, then likely swapped them for real assets before anyone could react. The peg broke, holders scrambled, and $25 million in actual value walked out the door. The protocol's entire trust model evaporated in the time it takes to sign a transaction.

What makes this particularly relevant for RWA tokenization: if you can't secure a purely crypto-native stablecoin with basic access controls, how do you convince institutions to tokenize real estate, treasuries, or corporate bonds on these rails? Every institutional compliance officer will use this as Exhibit A for why crypto custody isn't ready. They're not entirely wrong.

The Implication

If you're building anything in Web3 that touches real value, your security model needs to assume the worst actor gets the keys. Multisigs, timelocks, oracle verification, and redundant checks aren't optional features. They're the minimum viable defense. For anyone evaluating stablecoin infrastructure for real-world asset tokenization, this is your litmus test: ask who can mint, under what conditions, and what stops them if the conditions aren't met. If the answer involves trust, walk away.

Source: The Block