Table of Contents
On Sunday, Resolv's USR stablecoin was exploited for $25 million when an attacker took advantage of a flaw in USR’s minting contract.
While that exploit is bad enough, it’s only half the story.
The attack’s impact trickled into DeFi vaults, where a $4,900 debt position on Morpho spawned. Vault curators who were actively monitoring their positions cut exposure and their losses stayed under $50,000. But losses grew to millions of dollars for the curators managing their vaults more passively.
The incident was an unfortunate proving point of an emerging sentiment regarding Vaults, which points out that most of today’s current DeFi vaults suffer from a lack of sophisticated and active risk management. That type of needed oversight, in the case of this recent exploit, turned out to be the difference maker between losses in the thousands and losses in the millions.
In this article, we’ll cover what happened, what it tells us about the state of DeFi vaults, and what we believe comes next.
What Happened: The USR Exploit And Its Fallout
A DeFi vault is a pool of capital managed onchain. You deposit funds and a vault manager, called a curator, decides where to deploy them to earn yield. On Morpho, the curator chooses which lending markets to supply, monitors conditions, and is supposed to pull funds out if something goes wrong.
Resolv runs a stablecoin called USR, which is, in effect, the senior tranche of the Resolv protocol pegged to $1. On March 22, an attacker minted 80 million fake USR tokens, nearly doubling the supply with no new collateral behind it, causing USR to instantly lose its peg. During the incident, the price of USR fell to around $.23.
So, how was this possible?
A single externally owned account (EOA) with a SERVICE_ROLE permission had unlimited mint power. There were no onchain issuance caps, collateral ratio enforcement, oracle sanity checks, multisig, or proof of reserves oracle. The attacker deposited 100K USDC via requestSwap(), and the SERVICE_ROLE completed the swap with 50M USR instead of 100K. They repeated this for another 30M USR.
The attacker then wrapped the inflated and not-backed USR into wstUSR for better DEX liquidity, and proceeded to sell it across KyberSwap and Velora at prices between $0.50 and $0.88. Proceeds were converted to ETH via Uniswap V4 and MetaMask Swaps.
Their total haul ended up being roughly $25 million from a $200K starting position.
The Oracle Problem
The exploit triggered a second wave of damage through lending markets because multiple Morpho markets accepted wstUSR as collateral with a fundamental oracle based on Resolv’s daily NAV updates. hardcoded oracles. That meant that the oracles still quoted wstUSR at $1.13 even after the underlying token had collapsed.
This gap between the stale oracle price and the real market price created a free arbitrage that meant anyone could deposit nearly worthless wstUSR at $1.13, borrow real USDC at full value, and walk away.
And someone did.
How $4,900 Became $6.2 Million
The original debt from the exploit on Morpho was just $4,900 in USDC borrowed against USR. That number should have stayed small, but things got out of hand quickly due to a lack of active oversight by vault curators.
Morpho's Public Allocator lets curators automatically supply capital to high-utilization markets on the assumption that high utilization signals high demand and better yields. In this case, however, high utilization meant the market was broken. And because the Public Allocator is a public function, anyone can invoke it during a live exploit against a hardcoded oracle, effectively turning it into an open credit line for attackers.
Gauntlet, one of the largest vault curators on Morpho, had its automated allocations running when the exploit hit. Twenty minutes after the attack, at 2:41 UTC, Gauntlet's system began pushing fresh USDC into the compromised wstUSR/USDC market. Onchain data shows multiple wallets calling borrow functions immediately after each allocation, draining the new USDC upon arrival. This continued for roughly 90 minutes before someone turned it off. 9Summits, another curator, kept supplying for 10 hours.
By the end, Gauntlet's Core and Frontier vaults accounted for 96% of unintended supplies and 98% of total lender liquidity in the market. The final tally was $6.18M in USDC supplied, 100% utilization, and zero withdrawable liquidity. As a result, Gauntlet's vault depositors became exit liquidity for the collateral collapse.
Smaller curators like re7 and kpk took a different approach, cutting their exposure shortly after the exploit. Because of their active human oversight, their losses stayed well below Gauntlet's.
Contagion
Once the hardcoded oracle mispricing became public knowledge, the same arbitrage pattern played out across other lending markets that accepted USR or wstUSR as collateral. Fluid and Instadapp were hit hardest outside of Morpho, accumulating over $11M in potential bad debt, with the majority of that damage arriving after the initial exploit as opportunistic borrowers replicated the same trade. Inverse Finance absorbed $340K in DOLA bad debt from a similar dynamic. Venus and Seamless moved to pause all USR exposure entirely, cutting off further lending activity before losses could compound.
The Bigger Problem With Vault Curation Today
Vault curators exist to underwrite risk on behalf of depositors. When a curator routes USDC into a Morpho market collateralized by a single asset whose issuance is controlled by a single key, that is a risk decision, even if the depositor never sees it that way.
Most vault curators today operate as thin layers on top of smart contracts, routing capital, optimizing for yield, and collecting fees. What they generally do not do is apply real-time judgment to changing market conditions, particularly during stress events. The USR incident made this clearly visible.
Gauntlet's automation ran for 90 minutes and 9Summits' for 10 hours before anyone intervened.
Automation without circuit breakers is a liability, and risk management must be treated as a 24/7/365 responsibility. This becomes increasingly critical as the sector grows, projected to reach $64 to $85 billion by year-end according to Keyrock.
At that scale, passive curation is a systemic risk.
The Next Generation Of Vaults
The first generation of DeFi vaults proved that smart contracts can automate yield strategies, pool liquidity, and deliver returns without intermediaries. What they have not solved is keeping the curation layer in step with the scale of capital it manages.
The next generation, "Vaults 2.0," solves this with a fundamentally different operating model. With this model, allocation strategies need to optimize continuously across yield, concentration risk, liquidity buffers, and correlation constraints at the same time. Additionally, risk management with these vaults doesn’t wait for a human to notice something is wrong before a fix is implemented. They monitor collateral types, counterparty health, and protocol utilization in real time, triggering programmatic adjustments the moment metrics breach predefined thresholds.
To keep performance up, new yield opportunities are identified and evaluated against predefined criteria on an ongoing basis, not during periodic reviews.
What Comes Next
The vault space now stands at an inflection point. Growth is accelerating, but curation has so far not kept pace across the board. The longer this misalignment remains, the more passive curation will grow as a systemic risk that could have far-reaching effects across the industry (were a big enough incident to occur).
In that regard, the USR incident should serve as a wake-up call: Curators are meant to do more than route capital and optimize yield.
Moving forward, real-time monitoring and automated risk controls should be considered the minimum requirement for managing other people's capital in vaults.
