The single most expensive fact of the last synthetic-dollar cycle is a small one. On March 22, 2026, one compromised off-chain key minted roughly 80 million dollars of unbacked USR against about a hundred thousand dollars of real collateral. It was not a clever contract exploit. The Solidity was fine. One key that should not have been able to do that, could.
That is the fact that should reframe how a holder does diligence. The question is not "is this protocol audited." An audit would not have stopped a stolen key. The question is narrower and more uncomfortable: how many keys does this issuer hold that can move or mint the money, and what, precisely, can each one do if it is lost. Most issuers never answer it in public. We decided to answer it about ourselves, in a table anyone can check against the chain. This is that self-audit. We walked Resolv's mechanism in full in a separate teardown; this post turns the same lens on our own key surface and does not repeat the forensics.
The Resolv fact, in one paragraph
By Resolv's own post-mortem and the public analyses from Halborn and QuillAudits, an attacker obtained the single off-chain signing key that gated USR minting, a role that lived in a cloud key store rather than in cold multisig hardware, deposited on the order of a hundred thousand dollars of USDC, and then signed instructions minting about 80 million USR, orders of magnitude past the deposit. Roughly 24 to 25 million dollars was extracted before the team could pause, and USR fell from a dollar to around two and a half cents before a partial recovery. Three properties combined to make it possible: the mint amount was set by the off-chain caller rather than derived from on-chain state, there was no per-call or per-day on-chain cap, and exactly one signature was required. Any one of those, alone, would have contained it. All three together made the whole collateral pool extractable by whoever held the one key.
First question: could one of our keys do that?
The exact Resolv vector, a single key gating an unbounded mint, is the first thing we checked on ourselves, and it is structurally closed on kUSD. Not because we manage keys better than Resolv did, which is a claim nobody should trust, but because the mint path is built so that no single key can reach it.
The authority that administers kUSD's mint path is a two-of-three Gnosis Safe multisig, not a single key. The privilege that actually mints, MINTER_ROLE, is held only by on-chain contracts, the vault and the Peg Stability Module, never by an off-chain signer. And the amount minted is derived from the contract's own USDC balance at a fixed fee, not from a number a caller hands it. There is no SERVICE_ROLE equivalent to steal, because there is no off-chain caller in the mint at all. You do not have to take our word for any of that; it is three cast calls against Base, walked command by command in the mint-path teardown and asserted continuously at /api/risk-status. So the specific thing that drained Resolv, one key to an unbounded mint, is a thing a kUSD holder can rule out from the chain in about two minutes.
That is the easy half of a self-audit, and if we stopped there we would be doing the thing this post is supposed to be against. A real key audit does not stop at the mint key. It lists every privileged key, including the ones that are still single-signer, and says what each can do. So here is the whole table.
Every privileged key kUSD has, and what each can do
Four privileged surfaces control the protocol. Two are already behind the multisig or behind contracts. Two are still single keys, and we say so plainly, because the point of a self-audit is the entries you would rather not print.
- The mint administrator, a 2-of-3 Safe. It can grant or revoke roles and flip the mint kill switch. It cannot act on one signature, and it cannot itself mint. This is the key class Resolv's failure was about, and on kUSD it is already a multisig, at 0x52d3E450bA6c299B1B07298F1E87DD74732D4877.
- The minter, which is not a key at all. MINTER_ROLE is held only by two on-chain contracts, the vault and the PSM. They mint an amount derived from the contract's own USDC balance. There is no off-chain minter key to compromise. This is the entry that makes the Resolv vector unreachable.
- The reserve-attestation signer, a single key. Disclosed. One EIP-191 key signs the hourly Proof of Reserves, which includes the off-chain Hyperliquid hedge figure and the freshness timestamp. Here is the exact blast radius if it leaked: an attacker could publish a false or stale attestation. It could not mint kUSD, move collateral, or touch redemptions, and it could not fake the on-chain reserve figure, because a holder re-derives that part directly from Base and would see the signed claim diverge from the chain. It is a key that can lie, not a key that can steal, and the on-chain half is exactly the half you do not have to trust it for.
- The strategist role on the adapters, a single key. Disclosed. STRATEGIST_ROLE directs allocation among the strategy adapters. It is a separate role from both the minter and the administrator, so it cannot mint kUSD and it cannot change who can. Its worst case is misdirecting allocation among the strategy legs, not minting an unbacked dollar; it is the largest of our remaining single-signer surfaces, it is named in our own open-findings list, and folding it under the multisig is on the remediation queue.
That is the honest shape of it. The one key class that ends protocols, an off-chain key that can mint supply, we do not have. The single keys we do still hold can lie about reserves or misdirect within a fixed set of strategy legs, both bounded, both disclosed, neither able to mint an unbacked dollar or empty the collateral in a single run.
Check the table yourself
None of the above is a claim you have to accept. The parts that live on-chain resolve to reads anyone can run against Base:
- That the mint privilege is contracts-only and admin is the Safe. The three cast commands in the mint-path teardown confirm MINTER_ROLE sits on the PSM contract and DEFAULT_ADMIN_ROLE sits on the 2-of-3 Safe.
- That every wired threshold is holding right now. /api/risk-status reports each risk value against its on-chain source, rendered for humans at /risk, and an hourly CI job fails if any role flips.
- That the reserve figure is real, not just signed. /verify recovers the signer of the attestation and rehashes it in your browser, and the on-chain reserve leg is independently readable at /api/por, so the signer key is checked against the chain rather than trusted.
The single keys that remain, the attestation signer and the strategist role, are the two entries you cannot fully rule out from the chain today. That is exactly why we list them here rather than leave you to find them.
And here is how we route to a Safe
A self-audit that ended on "we have two single keys, good luck" would be worse than no self-audit. So the close is the plan, stated as a direction we are committed to and you can hold us to, not as a finished job. The mint administrator is already a 2-of-3 Safe; that is the surface that matters most and it is done. The two remaining single-signer keys are named on our open-gaps page at /legible and are on the same remediation queue: the strategist role moves under the multisig with a signing threshold, and the reserve-attestation leg moves toward a hardware-backed signer and an independent third-party attestation, which is being scoped. We would rather you read that on a calm day than reconstruct it on a bad one. That is the whole difference this post is arguing for: not that Kerne has no keys worth worrying about, but that we published the list before anyone had to ask, and told you which ones are already contained and which ones we are still routing to the Safe.
If you hold or lend against someone else's synthetic dollar and want this same key-surface question answered about them, that is what an independent counterparty read is for: a signed, point-in-time read of a counterparty's public on-chain authority surface, a proof you hold rather than a dashboard you trust.
Figures are as of June 30, 2026 and nothing here is investment advice. The Resolv exploit facts, roughly 80 million USR minted from about a hundred thousand dollars of deposits via a single compromised off-chain signing key, about 24 to 25 million dollars extracted, and a USR low near two and a half cents on March 22, 2026, are drawn from Resolv's own post-mortem and the analyses by Halborn and QuillAudits; where they differ, this piece uses hedged figures, and the step-by-step mechanism is in our mint-path teardown. Kerne's own claims resolve to live surfaces: the mint roles and admin on Base, the continuously asserted thresholds at /api/risk-status, the hourly signed Proof of Reserves at /api/por/signed and its on-chain leg at /api/por, and our full open-gaps list at /legible. A /verify pass proves an attestation is authentic and fresh; it is not an audit and not a solvency opinion.
Verify it yourself
Run the same check on any reserve, or have it run for you.
Paste any issuer's signed attestation into the free verify tool and recover the signer, rehash the figures, and check freshness in your own browser. For a machine-signed, point-in-time read of an address you name, delivered on the page in about two minutes, the instant self-serve read is $29; a human-reviewed read is $149. An independent read of a counterparty you hold or allocate to is $2,500. Attestation tooling, not an audit, and not a solvency opinion.