Uneasy Money: How the Resolv Hack Shows an Audit Doesn't Mean 'Secure'
A postmortem of an infinite-mint exploit: cloud key compromise, cross‑protocol contagion, and how ops, governance, and Aave v4’s hub design can reduce future risk.
Key Takeaways
- AWS/cloud-account compromise enabled unilateral infinite minting without key exfiltration; secret managers and KMS misconfigurations became a catastrophic single point of failure.
- Infinite-mint funds flowed into liquidity and lending pools, causing ~$20M-scale losses per protocol and rapid contagion across Morpho, Fluid, and Venus.
- Operational gaps—narrow audits, insecure credential storage, weak alerting, and missing threat models—delayed detection; adopt PagerDuty/Opsgenie, SOC2 practices, and end‑to‑end threat modeling.
- Aave v4’s hub-and-spoke architecture and segregated pools enable per-asset risk controls, debt ceilings, graduated elevation/downgrade, and reduced contagion versus monolithic pools.
- Curator incentives and accountability matter: high promised yields often hide risk; require documented mint controls, issuer disclosures, and aligned liability to shift incentives.
- Defensive checklist: enforce multi‑sig and hardware keys, practice OPSEC, run continuous monitoring, perform holistic audits, and codify delisting/containment procedures.
Original Source
Uneasy Money: How the Resolv Hack Shows an Audit Doesn't Mean 'Secure'
Visit Source