CryptoPH

The Resolv USR exploit wasn't a bug - it was a feature working exactly as designed. And that's the problem. How USR minting works: you deposit USDC, then an off-chain service with a privileged key decides how much USR to mint for you. The contract checks the minimum but has no maximum. No cap. No ratio to collateral. Whatever the key holder says - gets minted. You could deposit $1 and mint billions. This design was live since day one. It wasn't a code bug. The threat model was simply: "the key won't leak." It did. Attacker got the key. Deposited $200K across two txs, minted 80M unbacked USR. Dumped on DEXes, walked away with ~$23M in ETH. Single point of failure: one private key, no on-chain sanity checks. No max mint ratio, no multisig, no timelock. One compromised key = unlimited money printer. The contract worked perfectly. That's the scariest part.