Key Takeaways
- A single compromised multisig key allowed the attacker to mint 8.35M USDR and 4.5M EURR, crashing both stablecoins.
- EURR plunged 23% to $0.88, while USDR dropped 30% to $0.70, erasing millions in market cap within hours.
- The attacker swapped $10.4M worth of tokens for just 1,115 ETH ($2.8M) due to extremely thin liquidity on DEXs.
- Blockchain security firm Blockaid flagged the incident as a governance and key management failure, not a smart contract bug.
- This exploit adds to a growing wave of DeFi attacks in May, with over a dozen major incidents recorded.
What Happened
StablR’s euro and dollar stablecoins suffered a sharp depegging on Sunday after an attacker exploited a compromised private key. The breach targeted the minting multisignature account, which used a weak 1-of-3 threshold. The attacker gained control, added their own address, removed the other owners, and minted a combined 12.85 million tokens. EURR dropped to $0.88, losing 23% of its value, while USDR crashed 30% to $0.70. The rapid devaluation reflects the fragility of small-cap stablecoins when liquidity is scarce.
The Numbers
The attacker minted 8.35 million USDR and 4.5 million EURR, with a total notional value of roughly $10.4 million at peg. But due to extremely thin liquidity on decentralized exchanges, swapping the tokens yielded only 1,115 ETH, worth approximately $2.8 million. EURR’s market cap stands at $14 million, and USDR’s at $11 million—meaning the minted supply overwhelmed available liquidity. The price slippage highlights the risk of trading low-volume assets during a crisis.
Why It Happened
Security firm Blockaid attributed the exploit to a governance failure: a 1-of-3 multisig where one compromised signature sufficed for minting. This lax configuration gave the attacker total control once they obtained a single private key. Poor key management practices are an increasingly common vector in DeFi, with recent incidents at Volo Vault, Wasabi Perps, and Polymarket following similar patterns. StablR’s reliance on a minimal multisig overlooked the basic security principle of requiring multiple approvals for critical actions.
Broader Impact
The incident undermines confidence in smaller, regulated stablecoins that market themselves as safe alternatives. Even with proof-of-reserves and institutional custody, a single governance flaw can trigger catastrophic loss. The attack also underscores the systemic risk of low-liquidity assets on DEXs, where even moderate sell pressure can cause severe dislocations. This may lead to renewed calls for stronger key management standards and mandatory multisig thresholds in stablecoin protocols.
What to Watch Next
- Monitor StablR’s official channels for a post-mortem and any recovery plan, including potential compensation for holders.
- Watch EURR and USDR prices for signs of stabilization or further panic selling as liquidity remains fragile.
- Track whether regulators or industry groups propose new security guidelines for multisig governance in DeFi.
This article is for informational purposes only and does not constitute financial advice.
