StablR Exploit: EURR and USDR DepegAfter 1-of-3 Minting Multisig Key Compromise

• Incident Date: May 24, 2026
• Target: StablR Euro (EURR) and StablR USD (USDR) minting administration on Ethereum
• Target Overview: StablR is a European stablecoin issuer for EURR and USDR. Public reporting describes the affected surface as the Ethereum minting multisig and token-issuance control path, not a token accounting bug in the stablecoin contracts themselves.
• Affected Tokens: StablR Euro (EURR) at 0x50753cfaf86c094925bf976f218d043f8791e408; StablR USD (USDR) at 0x7b43e3875440b44613dc3bc08e7763e6da63c8f8
• Total Loss: Approximately 1,115 ETH, publicly estimated around $2.8 million; unauthorized mint face value was reported as about 8.35M USDR plus 4.5M EURR, or roughly $10.4 million at peg
• Recovery Status: No public recovery, reimbursement plan, or final technical post-mortem had been identified in the reviewed sources.
• Attack Vector: Private Key Compromise / 1-of-3 Multisig Control Failure / Unauthorized Stablecoin Mint / DEX Liquidity Dump / Stablecoin Depeg

---

Incident Review & Technical Details

1. Attack Path

1. Minting Authority Relied on a 1-of-3 Multisig: Public reporting from Blockaid, GoPlus, and media coverage described StablR's Ethereum minting multisig as requiring only one of three owners to approve administrative action.
2. One Owner Key Was Compromised: The suspected root cause was a private-key compromise affecting one multisig owner. Because the threshold was one, that single key was enough to reach the contract's administrative control plane.
3. Attacker Replaced the Governance Set: Reports said the attacker added their own address as an owner and removed the two legitimate signers. At that point, the attacker controlled the minting authority rather than merely holding one compromised signer slot.
4. Unbacked Tokens Were Minted: The attacker minted approximately 8.35M USDR and 4.5M EURR, creating about $10.4 million in face value at the intended pegs.
5. DEX Liquidity Became the Exit Route: The attacker sold the newly minted tokens through decentralized exchange liquidity. Because liquidity was shallow relative to the minted size, the realized proceeds were far below face value.
6. Roughly 1,115 ETH Was Extracted: Public estimates converged around 1,115 ETH, or about $2.8 million, extracted through swaps.
7. EURR and USDR Lost Their Pegs: The sudden sell pressure pushed both StablR stablecoins below their intended pegs, with public alerts and market coverage describing declines of roughly 20% or more during the incident window.

2. Impact Scope

• Direct Economic Impact: The realized attacker proceeds were reported at roughly $2.8 million, while the unbacked mint amount represented roughly $10.4 million in nominal stablecoin face value.
• Affected Assets: EURR and USDR on Ethereum were the directly affected assets in the reviewed public reporting.
• Market Impact: Both tokens depegged after the unauthorized mint and liquidation, creating immediate pricing, redemption, and liquidity-route uncertainty for holders and integrators.
• Affected Control Plane: The exposed component was the minting and owner-management authority around token issuance. Public sources repeatedly characterized the incident as a key-management and governance failure, not as a smart-contract arithmetic bug.
• Liquidity Constraint: Thin on-chain liquidity limited the attacker's realized return, but it did not prevent the peg break or the credibility shock to the issuer's mint controls.
• Disclosure Gap: As of the reviewed sources, StablR had not published a final code-level or operations-level post-mortem explaining how the key was compromised, when minting was paused, whether ownership was recovered, and how affected holders would be handled.

3. Root Cause Assessment

The StablR incident shows how a stablecoin can fail at the administrative layer even when the token contract's basic transfer and accounting code behaves as designed. If the minting authority can be captured by one compromised key, the reserve model is only as strong as that single key's operational security.

Key risk patterns to examine:

• Threshold Was Too Low for Mint Authority: A 1-of-3 multisig is structurally weak for a stablecoin mint role because it turns one signer compromise into full issuance control.
• Owner Rotation Became an Escalation Step: The attacker reportedly used the compromised authority to replace legitimate owners, converting a partial key compromise into durable administrative capture.
• Minting Was Not Sufficiently Rate-Limited: The ability to mint millions of tokens in one incident window suggests missing or insufficient caps, timelocks, emergency delays, or independent approval checks for large issuance.
• Liquidity Did Not Equal Solvency Protection: Shallow pools reduced the attacker's payout, but they also transmitted the shock directly into market prices and produced the visible depeg.
• Operational Security Was Part of the Protocol Boundary: For issuer-controlled stablecoins, key custody, signer distribution, HSM or hardware-wallet use, access reviews, and emergency runbooks are core protocol security controls.
• Reserve Claims Need Mint-Control Enforcement: A stablecoin can be fully reserved in normal operations and still become undercollateralized in market perception if an attacker can create unbacked supply.

The core invariant should have been strict: no single compromised signer may be able to add owners, remove owners, mint material supply, or alter issuance controls without a higher threshold, delay, monitoring window, and independent emergency response path.

4. Mitigation and Response

Recommended actions for StablR-style issuers, stablecoin operators, and protocols integrating issuer-controlled assets:

• Raise minting and owner-management thresholds to at least 2-of-3, and preferably a larger quorum such as 3-of-5 or 4-of-7 for production mint roles.
• Separate signer custody across independent people, devices, locations, and operational domains.
• Use hardware-backed signing, HSMs, transaction simulation, and explicit policy engines for mint, owner-change, and role-grant transactions.
• Put large mints, owner changes, threshold changes, and privileged upgrades behind timelocks with automated public alerts.
• Add per-transaction and per-time-window mint limits, with separate emergency ceilings for abnormal market conditions.
• Require independent confirmation for owner removal, threshold reduction, and mint-role reassignment.
• Deploy on-chain monitors that alert on signer-set changes, large mints, DEX liquidity shocks, bridge movements, and rapid peg deviations.
• Maintain a tested incident runbook for pausing minting, freezing compromised roles where legally and technically possible, notifying exchanges and integrators, and publishing holder guidance.
• For DeFi integrators, treat centralized mint authority and low-threshold multisigs as oracle-like dependencies; cap exposure, monitor admin events, and add circuit breakers for depeg or abnormal minting.
• Publish a final post-mortem with the compromised role, timeline, administrative transactions, minted amounts, swapped assets, recovery status, remediation steps, and future mint-governance controls.

---

AUTOSEC.DEV Solution: Building a 360-Degree Defense

The StablR incident is a reminder that stablecoin security is not only about token code. Mint authority, signer operations, privileged role design, liquidity monitoring, and emergency response are all part of the security boundary.

1. Privileged Role & Multisig Review: AUTOSEC.DEV reviews owner sets, quorum thresholds, signer distribution, timelocks, role-grant logic, threshold-change paths, and mint authority across stablecoin and RWA systems.
2. Key Management & Governance Assessment: We evaluate signer custody, hardware-wallet policy, access segregation, operational approvals, admin transaction simulation, and emergency governance runbooks.
3. Stablecoin Mint-Invariant Testing: We build tests and monitoring rules for unauthorized minting, owner-set capture, threshold reduction, supply anomalies, DEX liquidity stress, and redemption-risk scenarios.
4. Incident Response (IR): AUTOSEC.DEV supports exploit reconstruction, admin-transaction tracing, emergency control validation, exchange and integrator coordination, holder-impact scoping, and post-incident hardening.

Service Content

• AUTOSEC.DEV - Secure Code Review
• AUTOSEC.DEV - Penetration Testing
• AUTOSEC.DEV - Incident Response Service

---

Reference

• https://x.com/GoPlusZH/status/2058445978492137966