by Coinstrooper Crypto Articles
Quick Take
  • The minting multisig governing StablR’s token issuance required just one of three authorized signatures to act.
  • That 1-of-3 threshold meant a single compromised key was enough to seize full control of the contract.
  • The attacker added their own address as an owner and removed the two legitimate signers.
  • They then minted 8.35 million USDR and 4.5 million EURR, a combined face value of roughly $10.4 million at peg.

What Happened

StablR’s Euro (EURR) and StablR USD (USDR) stablecoins lost their pegs on Ethereum on May 24 after an exploit on the project’s minting contract allowed an attacker to extract roughly $2.8 million.

More broadly, it follows a persistent wave of private key DeFi exploits that have contributed to record crypto theft figures in recent years.

A similar Resolv stablecoin breach earlier in 2026 used near-identical mechanics, where a single insufficiently protected key enabled minting at scale.

It received a strategic investment from Tether in late 2024. How those regulatory and financial ties factor into any recovery response has not yet been disclosed.

The post StablR Stablecoins Depeg After $2.8 Million Exploit appeared first on BeInCrypto.

Market Context

Thin liquidity on decentralized exchanges (DEX) sharply limited the attacker’s return.

EURR fell roughly 20% on tracked Ethereum liquidity and USDR also lost its dollar peg as sell pressure overwhelmed available pools.

StablR holds an Electronic Money Institution (EMI) license from Malta’s financial regulator. The company operates under the EU’s Markets in Crypto-Assets Regulation (MiCA).

Why It Matters

Blockchain security firm Blockaid flagged the ongoing attack and attributed the breach to a private key compromise rather than any flaw in StablR’s smart contracts.

How the Attacker Seized Control Of StablR

Details

The minting multisig governing StablR’s token issuance required just one of three authorized signatures to act. That 1-of-3 threshold meant a single compromised key was enough to seize full control of the contract.

The attacker added their own address as an owner and removed the two legitimate signers. They then minted 8.35 million USDR and 4.5 million EURR, a combined face value of roughly $10.4 million at peg.

Blockaid outlined the sequence in a follow-up post on X:

“This is not a smart contract bug – it’s a key management and governance failure.”

Swapping $10.4 million in freshly minted tokens into shallow pools yielded only about 1,115 ETH, worth roughly $2.8 million.

A Recurring Governance Blind Spot

The episode mirrors past stablecoin attacks where unauthorized minting triggered rapid depegs.