Why the USR token collapsed: a breakdown of the Revolv hack

On March 22, 2026, the Revolv protocol was attacked, resulting in losses of approximately $26.8 million. The root cause was a compromise of the project’s cloud infrastructure, which gave the attacker access to AWS Key Management Service (KMS). GetBlock AML Research provides a detailed breakdown of the Revolv attack.

Revolv uses a hybrid model: users deposit collateral (e.g., USDC), after which an off-chain system verifies the deposit and authorizes the minting of the internal token USR. The attacker first made several small legitimate deposits (approximately $100,000–$200,000 in USDC).

Then, using compromised privileged access (a so-called “service role”), they called the completeSwap() function and manually inflated the amount of USR tokens received. As a result, in just two transactions, the attacker obtained 80 million USR. The excessive token issuance caused a sharp price drop — from $1 to $0.03 — after which other platforms began suspending operations with the asset.

How the Revolv hack happened and access to AWS KMS

To secure its keys, Revolv used AWS KMS — a cloud-based key management system.

Why AWS KMS is used and how key management works

First, it provides security at scale: if a platform serves thousands of users, storing keys on separate physical devices is impractical — cloud solutions allow centralized management.

Second, access control: only specific services or employees can use the keys, with actions restricted and auditable. Auditability and compliance are also critical — every key usage is logged, which is essential for regulated companies.

Additionally, the system provides backup and recovery of keys and enables automatic transaction signing without manual intervention. Within this system was the key that allowed the attacker to access the “service role.” This enabled them to:

• sign operations to mint any amount of tokens (the contract enforced a minimum, but not a maximum),
• generate signatures that the system treated as legitimate,
• mint tens of millions of tokens with minimal real deposits using the completeSwap() function.

How the attack unfolded and USR tokens were minted

Timeline of the Revolv attack

• March 22, 2026, 01:50:59: The attacker created a swap request, depositing approximately 100,000 USDC. Transaction: 0x590b5c66df27b7f34cde721ca1b5f973ae047ffda370610491f694dade732c89
• March 22, 2026, 02:21:35: The attacker created a swap request, depositing approximately 100,000 USDC. Transaction: 0xfe37f25efd67d0a4da4afe48509b258df48757b97810b28ce4c649658dc33743

Approximately two hours later, the attacker repeated the same scheme — creating another request and confirming it to receive an additional 30 million USR. Transaction: 0x41b6b9376d174165cbd54ba576c8f6675ff966f17609a7b80d27d8652db1f18f.

Vulnerability in the key management system

The primary cause of the incident was the compromise of AWS KMS, where the attacker gained access to the private key of a service wallet. This wallet (0x15CAd41e6BdCaDc7121ce65080489C92CF6de398) had previously been granted elevated privileges (“service role”), enabling the execution of critical operations.

Where the funds went after the attack

One of the attacker’s wallets (0x04A288a7789DD6Ade935361a4fB1Ec5db513caEd) received 80 million USR.

Flow of stolen funds. Visualization: Certik

As of March 27:

• one address (0x04A288a7789DD6Ade935361a4fB1Ec5db513caEd) holds 20.4 million wstUSR ($1.26 million)
• another (0x8ed8cf0c1c531c1b20848e78f1cb32fa5b99b81c) holds 11,408 ETH (~$24.78 million)
• a third address (0x9FeeEAEc113E6d2DCD5ac997d5358eee41836e5f) holds 12 million wstUSR ($742,000) and 25.93 ETH ($56,000)