Uneasy Money: How the Resolv Hack Shows an Audit Doesn't Mean 'Secure'

**Kain Warwick** (0:01)
Hey, everyone, I'm Kain Warwick and welcome to Uneasy Money, because what happens on chain never stays on chain. Before we start, nothing you hear on Uneasy Money is financial advice. We're just four builders talking about what's happening on chain, and we want you to always do your own research before aping it. You can find all our disclosures at unchainedcrypto.com/uneasymoney.

**SPEAKER_2** (0:22)
The Energy Network is an intelligent, decentralized grid that coordinates smart devices to balance supply and demand. Energy Dollar is the native token of the network from one of Europe's fastest growing energy startups. Follow at FuseEnergy on X to find out more. Multi-Chain Advisors is an emerging technology growth firm that has helped create $50-plus billion in enterprise value for 80-plus clients over the past four years. They are the partner to help navigate markets. Build real traction today at multichainadv.com.
If crypto taxes feel overwhelming, you are not alone. That's why Crypto Tax Girl, a team that's been helping crypto investors since 2017, is offering $100 off on one-on-one crypto tax help. To get $100 off your crypto tax services, go to cryptotaxgirl.com/unchained. Again, that's cryptotaxgirl.com/unchained.

**Kain Warwick** (1:25)
All right. I'm here with my co-host, Taylor Monahan, Security Expert. We could definitely use a few more security experts on this show this week where we got some stuff to cover, and looking at CEO Pudgy Penguins. Joining us today, we have a special guest, Omer Goldberg, CEO of Chaos Labs. Welcome, Omer. We have a lot of wild stuff to cover today. Let's just dive in. The first thing is this Resolv situation. $300,000 in and $54 million gone. What happened on Sunday night, I believe, an attacker compromised Resolv's AWS hosted private key, minted $80 million of unbacked USR for 300K, dumped it on Curve and walked away with 24 million in ETH. USR crashed from $1 to 2.5 cents, I think. Not too bad, not zero. It held up okay there. The protocol pulls three hours later. The three hours later thing, I guess we'll get into that, but that seems like a decent amount of time for something like this to happen.
Yeah, there were a bunch of issues with Morpho, lending markets, Stakehouse was also caught up in this. And I think there's this kind of automated allocation on the minting side. And we can probably jump into it here, Tay, with your take, but this idea of making it as convenient as possible to mint stable coins. There's a long period of time, right? If you go back to like the Tether days, where everyone was always mad at Tether, because it was like this black box minting process, and only certain people are allowed to mint, and maybe there's some stuff we can learn from C-Fi, I guess.

**Taylor Monahan** (3:26)
Yeah. Well, I'm very excited to hear Omer's perspective, because for me, my perspective is, this is actually, there's a lot of wild stuff that happened, and there's a lot of complexity in what happened, and where bad debt was accrued, where the losses happened, where things can be improved there. But at the root, we do, in fact, go back to the fact that a single party had a single key, that thing was compromised by some bad actors, and that allowed them to take unilateral action. And apparently, this unilateral action basically, minting a whole bunch of USR was either not monitored or maybe they had alerts on it, but nobody was monitoring those alerts. And so, as we go into all of the more interesting complexities around this, I just want to remind everyone that at the end of the day, this is a very web-to-oriented hack. This is a key that was compromised, that was controlled by G.

**Kain Warwick** (4:31)
On AWS, right?

**Taylor Monahan** (4:32)
Yeah. So, it wasn't... It's not quite your perfectly classic private key compromise, but it's about as close as it gets. Basically, the key to AWS was compromised, and the AWS and basically all Infra have key management solutions. And so, you put your private key in this little section of AWS, and you're like, now it can't be exported, and now it can't be compromised. But in order to interact with that key, and in order to take actions like minting or any sort of actions, wherever that key lives, you have to be able to interact with it. And so, sometimes the system can allow the key to be exported, or if it's slightly more secure, then you just have to ask the key to mint or burn or whatever, do whatever, move everyone's money, whatever the case may be.

**Kain Warwick** (5:29)
Right. So, just a question on that, right? Like, so, you know, the old school DeFi way was you just have like a unencrypted private key sitting on your laptop.