This is a guest post written by the kpk Team

On Sunday 22 March, an attacker exploited a flaw in Resolv's USR stablecoin minting contract, creating roughly $80M in unbacked tokens and extracting ~$25M in ETH. USR lost its peg within minutes. The contagion spread fast, hitting lending vaults across the Morpho ecosystem that had accepted USR or RLP as collateral. For vault curators, this was a live stress test. Real depositor funds, a compromised collateral asset, and a limited time to act.

kpk, one of the 24 curators with exposure to the RLP collateral market, had $222k at risk across its USDC Yield vaults on Ethereum and Arbitrum.

kpk's monitoring systems flagged the RLP price drop within minutes of the first unauthorized mint (tx), before the attacker even executed the second transaction. The team opened a war room and coordinated with Morpho and its curator ecosystem to contain the situation. The market allocation cap for RLP was set to zero and pre-positioned for exit in the withdrawal queue, while the vault continued to meet withdrawal requests throughout.

But the critical decisions had already been made long before the incident. Each market in kpk's vaults operates under per-market allocation limits, set when the market is first enabled. These limits define the maximum exposure regardless of yield. For RLP, the effective allocation at the time was 3.85% of vault TVL. The loss ceiling was defined at inception, not after the exploit was detected. (Kpk risk framework).

Less than 24 hours after the exploit, a borrower repaid his RLP debt position, increasing the available liquidity in the market. kpk's vault recovered the full $221k automatically, in the same block as the repayment (tx). No manual trigger. The withdrawal queue cascaded through the market, found available liquidity, and pulled the position. kpk was the first - and so far only - curator to exit the affected market.

One reason kpk could exit cleanly: its vaults don't use Morpho's Public Allocator. All rebalancing runs through in-house automations operating within the vault's risk framework, which meant the team had full control over the exit path.

On Arbitrum, kpk's treasury closed the remaining ~$1.1k exposure by depositing directly into the RLP/USDC market and withdrawing the equivalent from the vault, cascading through the same withdrawal queue mechanism (batch tx).

A month before the exploit, DL Research published a comprehensive report on kpk's curation infrastructure titled "Curation as an Infrastructure Layer." The report examined how kpk structures vault governance, automation, and risk controls, and specifically assessed how the architecture would perform under stress. The Resolv incident is the live version of the scenario the report described.

Report here:

Surviving a live exploit without losses is not the end of the story. kpk has been building automated risk response systems since its first vault deployment. This incident provided real data to further strengthen and refine those systems. The monitoring and detection worked. The risk boundaries held. The recovery was automatic. The goal is to make the entire response loop even faster and more resilient, from detection to exit.

The future of vault curation is not only about assessing risk. It is about reacting to risk. Building systems that detect, contain and recover automatically, within the bounds of a risk framework that was already set before anything went wrong. That is the standard kpk is building toward, and the Resolv exploit is proof that the foundation holds.