The Resolv hack: How one compromised key printed $23M

Original Article ↗ Hacker News Discussion ↗

Nature of the Resolv hack

  • Several commenters stress this was not a classic “smart contract exploit” but began with compromise of Resolv’s AWS environment.
  • The attacker gained access to a privileged signing key in AWS KMS (or at least the ability to use it) and used it to mint large amounts of USR.
  • The contract logic only checked for a valid signature and did not enforce a mint cap, enabling essentially unlimited unbacked token creation.
  • Around $23–25M was extracted before admins paused the protocol; some note that taking “only” part of the supply may preserve enough confidence for the token to retain value.

Key management and security design

  • Strong criticism of keeping a mint-authority key in cloud infrastructure; suggestions include airgapped machines, offline CAs, hardware tokens, and more paranoid operational practices.
  • Others counter that if the system design requires online signing for active minting, fully offline keys are impractical.
  • Debate over KMS/HSM: using an HSM does not remove the need to harden access; “you still have to secure the HSM.”
  • Some argue MPC/multisig with multiple keyholders is safer than a single privileged key.

Debate over “code is law” and centralization

  • Some lean into “code is the contract” and accept exploits and chain forks as part of the ecosystem’s “battle testing.”
  • Others highlight that admin powers like freezing or reversing transactions mean these systems are effectively centralized payment platforms, not trustless crypto.
  • There is disagreement over what qualifies as a “cryptocurrency”; stricter definitions would exclude stablecoins and even Ethereum, which others see as out of step with common usage.

Purpose and value of stablecoins

  • Skeptics see stablecoins as pointless: capped upside, issuer risk, centralization, and overlap with existing payment rails.
  • Supporters cite uses:
    • Dollar-like asset without volatility for trading within crypto.
    • Workarounds for restrictive banking, card network prudishness (porn, gambling, weed), and AML/KYC roadblocks.
    • Cross-border payments and some international trade, especially in regions with weak banking infrastructure or cash limits.
  • There is sharp disagreement over how common and realistic these use cases are.

Illicit use, regulation, and crime vs. utility

  • Several assert stablecoins and crypto broadly are primarily for crime, money laundering, and speculation, with non-criminal users as cover.
  • Others push back, arguing that traditional finance increasingly excludes “edge” but legal activities due to FATF/AML pressure, making crypto an alternative.
  • Overall, the thread reflects deep skepticism about the industry’s legitimacy, with a minority emphasizing niche but real frictions that crypto can alleviate.

Speculation about an inside job

  • Multiple commenters question whether the hack was internal; others note that crypto history makes this suspicion common.
  • No concrete evidence is cited either way; the true origin of the AWS compromise remains unclear in the discussion.