Resolv Labs Offers 10% Bounty to Attacker in Bid to Recover $22.5M in Ethereum - Crypto Economy

TL;DR:

• Resolv Labs issued a 72-hour ultimatum to the attacker who stole $25M, offering to let them keep 10% if they return the rest.
• The exploit occurred on March 22: the attacker minted 80 million unbacked USR tokens and converted them into 11,409 ETH.
• The vulnerability originated in a privileged minting role controlled by a single account with no limits or multi-signature authorization.

Resolv Labs issued a public ultimatum to the attacker responsible for the exploit that last Sunday drained approximately $25 million from the protocol. Through an onchain message, the Abu Dhabi-based company offered the individual the option to keep 10% of the stolen funds in exchange for returning the remaining 90% —approximately $22.5 million in ETH— along with any USR tokens still under their control.

The established deadline expires on Thursday. Resolv also included an alternative path in the proposal: the attacker may opt for a responsible disclosure scheme, contacting the team by email to demonstrate that their intervention was the result of a good-faith security investigation.

What Happened to Resolv?

The attack took place in the early hours of Sunday, March 22. The attacker deposited approximately $200,000 in USDC into Resolv’s USR Counter contract and received 50 million USR in return. A second transaction allowed them to mint an additional 30 million tokens. The total obtained was exchanged for stablecoins across various decentralized exchanges and then converted into 11,409 ETH, according to onchain data.


Analysts determined that the breach originated in a privileged minting role controlled by a single externally owned account, with no maximum issuance limits, no oracle checks, and no multisignature authorization requirement. Resolv acknowledged in its statement that the exploit, though facilitated by a protocol vulnerability, was executed with clear malicious intent and that the unbacked tokens generated represent a risk to the stability of the secondary market.

Protocol Responses and Solutions for Affected Users

Should the deadline pass without compliance, the protocol warned it will escalate its measures: coordination with centralized exchanges, bridges, and infrastructure providers to restrict or freeze the assets, public disclosure of the addresses and transaction traces involved, and collaboration with blockchain analytics firms and law enforcement to initiate legal action.

Resolv Digital Assets Ltd. also announced that it has enabled redemptions for users who held USR prior to the incident and appeared on the allowlist. Updates for the remaining users, the protocol indicated, will be communicated in the coming hours.