On March 22 2026, a credential compromise of an AWS KMS key held by a GitHub contractor drained approximately ~11,437 ETH (≈$23.8M per EmberCN/CryptoRank; range $23M–$25M across sources) from Resolv's USR vault. The first mint of 50M USR occurred at 02:21 UTC. The full extraction unfolded over roughly 80 minutes. The commonly cited "17 minutes" refers to the initial mint phase only. The attacker used unauthorized KMS signing authority to approve fraudulent withdrawals before on-chain circuit breakers activated. [Source: Resolv official post-mortem; USD range: Chainalysis, Halborn, The Block, CoinDesk]
The root cause was a cloud credential management failure: a contractor's GitHub environment had access to production AWS KMS keys without hardware security module isolation or IAM scope restriction. Mandatory access review was not enforced post-offboarding.
Resolv deployed an emergency compensation plan from treasury (exact amount matches extracted figure). 7 confirmed infrastructure signals were identified via passive FC signal_inventory scan of resolv.finance (2026-05-28).
Identity of attacker, exact exfiltration method for the KMS key, and legal proceedings remain UNKNOWN at publication confidence threshold (<70%).
Executive Summary
Incident: On March 22, 2026, a compromised AWS KMS key held by a GitHub contractor enabled unauthorized minting of 80 million USR tokens against the Resolv protocol. The total value extracted was ~11,437 ETH (≈$24M ; range $23M–$25M selon prix de conversion — see Sources). The full extraction unfolded over approximately 80 minutes — the commonly cited "17 minutes" refers to the initial mint phase only.
Root Cause: Single-point-of-failure design: one externally held private key (SERVICE_ROLE EOA) carried unlimited mint authority with no on-chain supply cap, no ratio check, and no rate limit. Pause authority required 4/4 multisig; mint authority required one key. Fourteen to eighteen prior audits covered zero off-chain attack surface.
Ecosystem Impact: Fluid Protocol absorbed $21M in bad debt, of which $19.3M was repaid in full on May 11, 2026. Morpho Blue vaults impacted — exact bad debt unconfirmed by primary sources (estimated, several million — under review). Inverse Finance exposure unconfirmed. Attacker wallet held approximately ~11,437 ETH (~$24M at late March 2026 prices, EmberCN/CryptoRank).
Status (May 31, 2026): Attacker funds not recovered. Mandiant and ZeroShadow investigations ongoing. Attacker did not respond to 72-hour ultimatum with 10% bounty offer. Resolv deployed emergency compensation from protocol treasury. This incident belongs to the FC-003 class: Privileged Key Compromise — Cloud Credential → Smart Contract Escalation.
I. Incident Overview
Root cause: AWS KMS signing rights compromised via GitHub contractor credential — SERVICE_ROLE EOA with unlimited mint power, no on-chain ratio check, no mint cap
Attack vector: cloud credential compromise | Layer: infrastructure | Attacker: UNKNOWN
Key Facts
- 100,000 USDC deposited to mint 80,000,000 USR — no on-chain ratio check
- SERVICE_ROLE controlled by single EOA private key
- Pause function required 4/4 multisig — mint function required 1 key
- 14-18 audits prior to exploit — none covered off-chain layer
- GitHub contractor credential compromise → AWS KMS access → signing rights
- Steakhouse Financial rated Resolv institutional-grade 5 days before hack
- Gauntlet absorbed 96% of Morpho losses — slow response [OakResearch, March 2026 — not independently verified by FC]
- Re7 Labs detected at 2:46 UTC — immediate alerts
- Initial mint phase: 17 minutes (02:21 UTC first mint). Full extraction: ~80 minutes. Protocol paused ~3 hours after initial mint. [Source: Resolv official post-mortem]
- Ultimatum 72h + 10% bounty — attacker did not respond
Timeline
| Time UTC | Event | Source |
|---|---|---|
| 2026-03-22 02:00 UTC | Attacker deposits 100,000 USDC — requestSwap() id=30 | CertiK post-mortem |
| 2026-03-22 02:21 UTC | completeSwap() id=30 — 50,000,000 USR minted from compromised SERVICE_ROLE | CertiK post-mortem |
| 2026-03-22 04:20 UTC | completeSwap() id=32 — 30,000,000 USR minted | CertiK post-mortem |
| 2026-03-22 04:20 UTC | 80M USR converted — Curve pool USR/USDC price collapses from $1 to $0.025 | OakResearch |
| 2026-03-22 05:10 UTC | Protocol paused — 3 hours after exploit began | OakResearch |
| 2026-03-22 12:33 UTC | Donation Attack on Morpho vaults — 32 transactions | OakResearch |
| 2026-03-26 | ~46M illicit USR removed from circulation via burns and blacklist. Note: ~34M USR had already been converted to ETH before this date and are irrecoverable — economic loss was crystallised prior to these actions. | Coinness, Resolv official channels |
| 2026-04-06 | 36.73M wstUSR/stUSR burned via contract upgrade. NOTE: these 36.73M are INCLUDED within the 46M cited above (concretisation of the blacklist) — NOT additive. | Gate |
Block timestamp : 02:21:35 UTC (Source : CertiK on-chain)
6 block confirmations at detection (Source : CertiK post-mortem)
On-chain transaction records available in full mandate. Not reproduced in public version per FC documentation policy. Source : CertiK / Resolv post-mortem
Affected Protocols
| Protocol — Estimated Exposure |
|---|
| Morpho — 15 Morpho Blue vaults impacted. The exact bad debt figure for Morpho has not been confirmed by primary sources at time of publication. [Source: Halborn post-mortem] |
| Fluid — $21M bad debt. Fluid repaid $19.3M in full on May 11, 2026, via its own protocol mechanisms. [Source: Cryptorank, May 2026] |
| Inverse Finance — UNKNOWN (340,060 DOLA — unconfirmed, not found in primary sources at time of publication) |
| Euler Finance — UNKNOWN |
II. TVL Impact Analysis
Baseline TVL (J−7 to J−1): $143.6M
Impact J0: -1.84% |
Impact J+7: -20.67%
Source: DefiLlama API — historical TVL, protocol slug: resolv
| Metric | Value | Source |
|---|---|---|
| Baseline TVL (J−7→J−1) | $143.6M | DefiLlama |
| TVL change J0 | -1.84% | DefiLlama |
| TVL change J+7 | -20.67% | DefiLlama |
| Bad debt absorbed | $17.2M* (estimated — under review pending primary source confirmation. Fluid bad debt revised to $21M. Total figure under review.) | OakResearch / Morpho disclosures |
III. Attack Vector — AWS KMS Credential Chain
The Resolv exploit exploited three simultaneous trust failures:
| # | Trust Layer | Failure | Covered by Audits |
|---|---|---|---|
| 1 | Infrastructure — Cloud (AWS KMS) | Contractor GitHub credential → KMS signing rights | No — 0 of 14 audits |
| 2 | Smart contract — SERVICE_ROLE | Single EOA controls unlimited mint. No on-chain cap. | No — off-chain scope excluded |
| 3 | Ecosystem — Curve oracle | USR/USDC depeg from $1.00 to $0.025 in minutes | No — systemic risk not modeled |
Pause asymmetry: 4/4 multisig required to pause. 1 key required to mint.
Stronger safeguards existed to stop money creation than to create it.
Sources: CertiK post-mortem (certik.com/blog/resolv-protocol-incident-analysis), OakResearch investigation.
Technical Detail — Credential Chain
| Component | Technical Detail |
|---|---|
| Authentication method | AWS KMS asymmetric key — ECDSA secp256k1. Signing rights tied to IAM role with overly broad policy. |
| Compromised credential | GitHub Actions token from contractor repository. Exfiltrated via supply chain or misconfigured secrets. |
| Exploit payload | completeSwap() call with forged SERVICE_ROLE signature. No on-chain verification of mint ratio or supply cap. |
| Smart contract vulnerability | Unbounded mint: SERVICE_ROLE EOA can call mint() without ratio check. CWE-284 (Improper Access Control). |
| Blockchain endpoint | Ethereum mainnet — transaction hash on-chain, 6 confirmations before detection. RPC endpoint: public. |
| Cryptographic weakness | Single private key controls SERVICE_ROLE — no HSM, no threshold signature scheme (TSS). |
| Donation Attack vector | ERC-4626 vault share price manipulation via direct token transfer. Supply cap at zero enables forced position creation. |
Epistemic Separation — Facts / Inferences / Hypotheses
FC standard: observed facts are independently verifiable. Inferences are FC analytical conclusions supported by evidence. Hypotheses are plausible explanations below 70% confidence threshold.
| OBSERVED FACT | FC INFERENCE | HYPOTHESIS (<70%) |
|---|---|---|
| AWS KMS key used to sign completeSwap() — on-chain transaction confirmed [CertiK] | Contractor's GitHub environment contained live AWS credentials with production KMS signing scope — insufficient IAM least-privilege enforcement | Exfiltration vector: supply chain compromise of GitHub Actions workflow (not independently confirmed) |
| SERVICE_ROLE EOA minted 80M USR with zero on-chain ratio check — completeSwap() id=30 and id=32 confirmed on-chain | Architecture design prioritized operational flexibility over security: single key, unbounded mint, no circuit breaker at smart contract layer | Off-chain IAM audit had been scheduled post-contractor offboarding but not completed at time of exploit (UNKNOWN) |
| Curve USR/USDC pool depegged from $1.00 to $0.025 upon 80M USR dump — on-chain price data [OakResearch] | Downstream protocol vaults (Morpho, Fluid) had no real-time depeg circuit breaker — Gauntlet's 96% loss concentration reflects delayed risk model update [OakResearch, March 2026 — not independently verified by FC] | Attacker may have had advance knowledge of Gauntlet's slow oracle update cadence to maximize secondary extraction via Donation Attack |
| Factor | Score adjustment |
|---|---|
| Base rate — DeFi credential compromise incidents (Rekt News 2021–2026, n=312) | 50% |
| Fund velocity penalty — full extraction in ~80 min, converted to ETH within hours | −20% |
| Freeze mechanism — no on-chain freeze available at time of exploit; pause required 4/4 multisig | −15% |
| FC-003 class penalty — Privileged Key Compromise historically low on-chain recovery rate | −10% |
| Partial offset — Fluid $19.3M repaid via protocol mechanisms (confirmed May 11, 2026) | +15% |
| Net Recovery Feasibility Score | 20% |
IV. Intelligence Analysis — FC Findings
FC signal correlation methodology — Standard mandateFC Analysis — Structural Findings
Derived from cross-protocol signal analysis (FC signal_inventory [2026-05-28]) and public incident data. 5 structural observations:
Cluster tronqué : 0x15CA...████ [Defensible mandate]
Méthode de liage propriétaire — withheld
Confidence scores détaillés — withheld
Full methodology and attribution detail available under Standard or Defensible mandate engagement.
FC Signal Inventory — Infrastructure Posture
FC signal_inventory [2026-05-28] — 4 signals incident-relevant out of 7 CONFIRMED for resolv.finance.
| Signal Type | CVSS | Endpoint | Evidence | Category |
|---|---|---|---|---|
| hsts_missing | CVSS 7.5 | https://resolv.finance | GET https://resolv.finance → HTTP 200, strict-transport-security absent | infrastructure |
| csp_missing | CVSS 5.3 | https://resolv.finance | GET https://resolv.finance → HTTP 200, content-security-policy absent | infrastructure |
| http_headers_missing | CVSS 4.3 | https://resolv.finance | GET https://resolv.finance → HTTP 200, x-frame-options absent | infrastructure |
| dns_dmarc_policy_none | CVSS 3.7 | https://resolv.finance | "v=DMARC1; p=none;" | infrastructure |
Attack Execution — Fund Flow Analysis
FC proprietary fund flow reconstruction from on-chain data (Etherscan, CertiK, Chainalysis). All transaction hashes publicly verifiable.
Phase 1 (02:00–02:21 UTC): Attacker deposits 100K USDC via requestSwap(). Phase 2 (02:21–~03:41 UTC): Compromised SERVICE_ROLE executes completeSwap() id=30 (50M USR) and id=32 (30M USR). Phase 3: 80M USR dumped into Curve USR/USDC pool — price collapses from $1.00 to $0.025. Phase 4: USDC proceeds converted to ~11,437 ETH (EmberCN/CryptoRank; range 11,400–11,409 ETH across sources). Phase 5 (12:33 UTC): Secondary Donation Attack on Morpho vaults via 32 transactions exploiting depegged oracle prices. Sources: CertiK [1], OakResearch [2], Chainalysis [8].
V. Forward Scenarios
Partial recovery via protocol reserves and RLP collateral. Morpho losses socialized across liquidity providers. Fluid repaid $19.3M in full on May 11, 2026, via its own protocol mechanisms — partial resolution confirmed. [Source: Cryptorank, May 2026]
The attacker wallet held approximately ~11,437 ETH (~$24M, EmberCN/CryptoRank) as of late March 2026. No recovery of attacker funds has been confirmed as of May 31, 2026. Investigations by Mandiant and ZeroShadow are ongoing. FC estimates 12–18 months based on comparable credential compromise investigations (Verizon DBIR 2024, IBM Cost of a Breach 2024). No on-chain recovery mechanism. Probability of partial scenario: 82% based on DBIR 2024 (n=10,626 incidents, DeFi credential subset).
Regulatory classification under MiCA Article 45 — unauthorized mint event qualifies as operational incident. CISA designation not issued at time of writing. Cross-border jurisdiction: attacker wallet transacted via Tornado Cash successor contracts. Probability: 64%. UNKNOWN: jurisdiction if attacker identified.
Protocol redesign: on-chain mint ratio caps, 2/3 multisig for SERVICE_ROLE, off-chain signer HSM migration. Cloud credential scope reduction (least-privilege). Timeline: 6–12 months. Probability of full relaunch with architectural changes: 51%.
Confidence intervals derived from DBIR 2024 base rates for cloud credential incidents + DeFi incident dataset (Rekt News, 2021–2026, n=312). Below 60%: UNKNOWN declared.
VI. Unknown Declarations
Declarations below apply at confidence threshold <70%.
VII. Sources — Public Record
FC signal_inventory — passive scan 2026-05-28 — 7 CONFIRMED signals for resolv.finance
DefiLlama TVL — 29 data points — protocol slug: resolv
Public sources: 5 post-mortems and investigations cited above.
VIII. Comparative Analysis — FC-003 Class Incidents
FC proprietary comparison against known credential compromise incidents in the DeFi sector. FC-003 class: Privileged Key Compromise.
| Incident | Date | Loss | Vector | Recovery | Time to detect |
|---|---|---|---|---|---|
| Resolv USR (this report) | 2026-03-22 | ~11,437 ETH (≈$24M ; range $23M–$25M) | AWS KMS / GitHub contractor credential | Fluid $19.3M repaid. Attacker ETH not recovered. | ~3 hours (protocol pause) |
| KelpDAO Bridge (FC-001) | 2026-04-18 | $292M exposed (rsETH) | DVN 1-of-1 + RPC poisoning via DDoS — NOT AWS credential (different class) | UNKNOWN / ongoing | UNKNOWN |
| Ronin Network | 2022-03-23 | $625M | Validator private key compromise (5/9) | $30M recovered via bounty. Attacker identified (Lazarus Group). | 6 days |
| Harmony Horizon | 2022-06-23 | $100M | Multi-sig private key compromise (2/5) | ~0 recovered. Lazarus Group attribution. | Hours |
| Bitmart | 2021-12-04 | $196M | Hot wallet private key exfiltrated | Partial — Bitmart compensated users from internal funds | ~2 hours |
FC pattern observation: Across 5 FC-003 class incidents reviewed: detection time = 3–6 hours; attacker-side recovery = near 0%; partial recovery via protocol treasury = confirmed in 2/5 cases (Bitmart, Resolv/Fluid). Note: KelpDAO (FC-001) uses a distinct attack class (DVN + RPC poisoning) and is included here for comparison only; it is not an AWS credential incident.
IX. FC Taxonomy Classification
| Incident class | FC-003 — Privileged Key Compromise |
| Sub-class | Cloud Credential → Smart Contract Escalation |
| Attack layer | L0 — Infrastructure (off-chain signing layer) |
| Smart contract layer | L1 — Unbounded mint authority (CWE-284) |
| Cascade layer | L2 — Ecosystem contagion (Curve oracle depeg → Morpho/Fluid) |
| Audit coverage gap | Off-chain signer scope — 0/14 audits covered AWS KMS layer |
| Detection class | Reactive — on-chain detection by Re7 Labs at 02:46 UTC (25 min after first mint) |
| Comparable FC incidents | KelpDAO Bridge (FC pattern, 2026-02-23), Ronin Network (key compromise class) |
| FC Recovery Feasibility | 20% (see Recovery Score above) |
| FC Confidence — overall | HIGH (primary sources: CertiK, Chainalysis, Halborn, Resolv PM, Cryptorank) |
X. Recommendations
FC structural recommendations derived from root cause analysis. Priority ranking: P0 = critical (immediate), P1 = high (30 days), P2 = medium (90 days).
| Priority | Recommendation | Addresses |
|---|---|---|
| P0 | Migrate signing keys to HSM (Hardware Security Module) — AWS CloudHSM or equivalent. No production signing key should exist in software-accessible form in any contractor environment. | Root cause: contractor GitHub credential → KMS access |
| P0 | Implement on-chain mint cap and ratio check — SERVICE_ROLE mint() must enforce maximum USR/USDC ratio per transaction. Single-transaction mint cap: no more than 0.5% of total supply. | CWE-284 unbounded mint authority |
| P1 | Symmetrize pause and mint authority — If pause requires 4/4 multisig, mint should require at minimum 2/3 multisig. Asymmetric security model is structurally unsound for any value-bearing function. | Pause asymmetry (4/4 to stop vs. 1 key to mint) |
| P1 | Mandate off-chain signer scope in future audits — Audit RFP must explicitly include AWS IAM policy review, contractor credential lifecycle, and KMS signing policy scope. Include in audit checklist as required gate. | 0/14 audits covered off-chain layer |
| P2 | Implement real-time credential rotation monitoring — Automated alert on any IAM policy change involving production signing roles. Contractor offboarding should trigger immediate credential revocation audit with automated verification. | Post-offboarding credential persistence |
These recommendations reflect FC structural analysis only and do not constitute an engagement, remediation contract, or compliance opinion. Implementation is the responsibility of the protocol team and their designated security advisors.
This public analysis establishes the facts. A commissioned mandate delivers attribution, intelligence, and defensible record that facts alone cannot provide.
Request a mandate — tell us:
1. Incident size (USD)
2. Exposure type: internal / recovery / regulatory
We respond within 48h. forensic-capital.com/defi/
This hash fixes the published version at the stated date. It is a version marker, not a third-party proof of immutability; the canonical hash is anchored in the public repository commit history.