Uneasy Money: How the Resolv Hack Shows an Audit Doesn't Mean 'Secure'
A deep postmortem of an AWS key compromise that enabled an infinite-mint stablecoin attack — and practical fixes for DeFi custody, audits, curation, and protocol design.
Key Takeaways
- AWS key compromise led to an infinite-mint USR exploit that swapped on Curve and drained multiple lending protocols; single-key design and absent alerts amplified contagion.
- Audits were scope-limited, secrets stored insecurely; implement threat modeling, SOC 2, pager alerts, incident response firms, multi-party mint controls, and avoid single exported keys.
- Curators chasing yield create principal-agent risks; require debt ceilings, layered protections, transparent token vesting, and enforce issuer diligence to reduce contagion from composability.
- Aave v4's hub-and-spoke pools segregate risk per asset, enable configurable interest models, smoother onboarding/offboarding, and governance paths to elevate or demote assets.
- Technical fixes: enforce mint velocity limits, separate on-chain reserve reporting, avoid hard-coded stablecoin prices, pin packages, disable auto-updates, and diversify integrations to reduce single-point failures.
Original Source
Uneasy Money: How the Resolv Hack Shows an Audit Doesn't Mean 'Secure'
Visit Source