StablR Stablecoins Depeg After $2.8M Exploit on Ethereum
StablR Stablecoins Depeg After $2.8 Million Exploit – Private Key Compromise Exposes Governance Weakness
Key Takeaways
- StablR’s EURR and USDR stablecoins lost their pegs on Ethereum on May 24 following an exploit of the project’s minting contract.
- Blockchain security firm Blockaid reported that around $2.8 million was extracted.
- The breach was attributed to a compromised private key, not a smart contract vulnerability.
- The attacker minted 8.35 million USDR and 4.5 million EURR before swapping part of the supply into decentralized exchange liquidity pools.
- StablR operates under an Electronic Money Institution license in Malta and within the EU’s Markets in Crypto-Assets Regulation framework.
Minting Contract Exploit Triggers Depegging on Ethereum
On May 24, StablR’s Euro stablecoin EURR and its US dollar counterpart USDR lost their pegs on the Ethereum network after an attacker gained control over the project’s minting contract. According to blockchain security firm Blockaid, the exploit was ongoing at the time of its alert and had resulted in approximately $2.8 million being extracted.
Both tokens deviated from their intended 1:1 value. EURR dropped by roughly 20 percent on tracked Ethereum liquidity pools, while USDR also fell below its dollar peg as selling pressure increased. The depegging occurred after newly minted tokens were introduced into decentralized exchange pools and swapped against available liquidity.
For users holding EURR or USDR on Ethereum, the loss of the peg meant that the tokens temporarily traded below their stated fiat value, affecting redemptions and on chain swaps.
Private Key Compromise, Not Smart Contract Bug
Blockaid stated that the incident did not stem from a flaw in StablR’s smart contract code. Instead, it attributed the breach to a private key compromise tied to the minting multisignature wallet.
The multisig governing token issuance required only one out of three authorized signatures to execute transactions. This 1 of 3 threshold allowed a single compromised key to take full control of the minting contract. After obtaining control, the attacker added their own address as an owner and removed the two legitimate signers.
With exclusive control established, the attacker minted 8.35 million USDR and 4.5 million EURR. At their intended peg values, the combined face value of these newly created tokens amounted to approximately $10.4 million.
Blockaid described the incident as a failure in key management and governance rather than a technical vulnerability in the contract logic itself. The distinction is relevant for users assessing operational risk, as it separates code level flaws from access control and administrative security weaknesses.
Liquidity Constraints Limit Extracted Value
Although the attacker minted tokens with a nominal value exceeding $10 million, decentralized exchange liquidity significantly limited the realized gains. The available liquidity in EURR and USDR pools on Ethereum was relatively thin.
When the attacker attempted to swap the newly minted tokens into existing pools, the large sell orders moved the market sharply. According to Blockaid, converting the supply into available liquidity yielded approximately 1,115 ETH, equivalent to about $2.8 million at the time.
This dynamic illustrates how limited on chain liquidity can both amplify price volatility and restrict the amount an attacker can extract. The immediate influx of unbacked tokens into shallow pools accelerated the loss of the peg for both stablecoins.
Parallels to Previous Stablecoin Governance Incidents
The StablR incident follows a pattern seen in earlier stablecoin exploits where unauthorized minting led to rapid depegging. The mechanics resemble a separate breach involving the Resolv stablecoin earlier in 2026. In that case, a single insufficiently protected key also enabled large scale minting.
More broadly, the event fits into a wider trend of decentralized finance exploits linked to private key compromises. Such incidents have contributed to record levels of crypto related theft in recent years. In these cases, governance structures and key management procedures become central points of failure rather than the underlying smart contract code.
For users and platforms integrating stablecoins into payment flows, including crypto betting or iGaming services, governance design and custody practices can directly affect token stability during stress events.
Regulatory Status and Corporate Background
StablR holds an Electronic Money Institution license issued by Malta’s financial regulator. The company operates within the framework of the European Union’s Markets in Crypto-Assets Regulation, known as MiCA.
In late 2024, StablR received a strategic investment from Tether. As of the time of the exploit, it had not been disclosed how these regulatory and financial relationships would factor into any response or recovery measures.
The presence of an EMI license and operation under MiCA means StablR functions within a defined regulatory perimeter in the European Union. However, the exploit itself centered on technical governance controls rather than disclosed issues with regulatory compliance.
Our Assessment
The depegging of EURR and USDR on May 24 resulted from a private key compromise that allowed unauthorized minting through a 1 of 3 multisignature setup. Approximately $2.8 million was extracted after newly created tokens were swapped into limited decentralized exchange liquidity.
The incident highlights the role of key management and governance thresholds in stablecoin security. It also demonstrates how thin on chain liquidity can accelerate depegging while capping the financial outcome of an exploit. StablR’s regulatory status in Malta and its operation under MiCA remain part of the broader corporate context, but the breach itself was attributed to access control failure rather than a smart contract flaw.
