Malta-based regulated stablecoin issuer StablR was hit by a serious exploit on May 24, 2026. An attacker compromised one private key from a weakly configured 1-of-3 multisig wallet, gained full minting control, and created $13.5 million worth of unbacked USDR and EURR stablecoins.
The attacker dumped most of the tokens on DEXs, triggering sharp depegs:
- USDR crashed from $1.00 to as low as $0.40
- EURR fell from €1.00 to as low as $0.85 (roughly 15-20% depeg)
- Attacker extracted approximately $2.8 million (around 1,115 ETH)
This case is significant because StablR is a MiCA-compliant Electronic Money Institution with claimed 1:1 fiat backing and connections to Tether and Kraken.
Detailed Technical Analysis:
Combination of poor multisig design (threshold = 1) and private key compromise. This was not a vulnerability in the token smart contracts, but a total administrative takeover of the minting authority.
Multisig Configuration Details
- Multisig Contract Address: 0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3
- Threshold: 1/3 : This made the entire setup as secure as a single signature wallet for critical actions.
- Compromised Owner: 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d (private key stolen)
Step-by-Step Attack Breakdown
Key Compromise & Initial Access
The attacker stole the private key of Owner 0xC73f…550d. Using this key, they immediately added their malicious address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 as a new owner of the multisig.
Full Ownership Takeover
The attacker then systematically removed legitimate owners:
- Replaced 0xD4b6543504Df90Faba649B80F8f669CafFe0aD40 with 0xbC631Daf86611f32FAA63E7EC8c9c9571F2F5BB3
- Replaced the original compromised owner 0xC73f…550d with 0x482aC1a69A41e7657DE6B420B7346FB09DA09115
Critical Ownership Change Transactions:
- Tx 1:0x1f8a6764f66bb5a2438dc62f89bfe52080dbca782444c3757dbf1e1ce3a11bec
- Tx 2:0xde5bc3b7b80576f894fbc7e2c8fea5f8829503bae75dcf30a27725cd95a05f16
After these changes, the attacker had 100% control over the multisig.
Unlimited Minting
Using the now-controlled multisig, the attacker called the mint function multiple times through address 0xD467…6CD1.
Minted Amounts:
- 8.35 million USDR
- 4.5 million EURR
Example Mint Transaction: 0xa720…24ed
Token Dumping & Profit Taking
The freshly minted tokens were swapped on DEXs (primarily Uniswap) for ETH. Due to low liquidity, they sold at a heavy discount, but still walked away with ~$2.8M.
Affected Contracts
- USDR Token: 0x7B43E3875440B44613DC3bC08E7763e6Da63C8f8
- EURR Token: 0x50753CfAf86c094925Bf976f218D043f8791e408
Both contracts were functioning normally. The exploit only abused the admin privileges.
Attacker Addresses (Tracked)
- Primary Attacker: 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1
- Secondary: 0x482aC1a69A41e7657DE6B420B7346FB09DA09115
- Tertiary: 0xbC631Daf86611f32FAA63E7EC8c9c9571F2F5BB3
Additional Insights & Impact Analysis
- Depeg Dynamics: The sudden supply increase without collateral caused immediate panic selling. Thin liquidity pools on DEXs amplified the price crash through high slippage.
- Regulatory Angle: Even though StablR is MiCA licensed, this shows that regulatory compliance does not automatically protect against bad technical setups.
- Response: StablR and security teams (including ZachXBT) are actively tracking the funds. Some freezing actions may have been taken.
Key Technical Lessons & Recommendations
- Never use 1 of N multisig for high privilege functions like stablecoin minting.
- Minimum standard: 2 of 3 or 3 of 5 with hardware wallets and geographic distribution.
- Use battle tested solutions like Gnosis Safe with timelock modules and transaction delays.
- Implement role separation minting, ownership changes, and pausing should have different controls.
- Regular monitoring of ownership events and automated alerts for any multisig changes.
- Consider MPC wallets or institutional custody solutions for better security.
This exploit is a perfect example of how one weak link (a single private key + bad threshold) can compromise an entire stablecoin system, regardless of regulation.
