A regulated stablecoin issuer with Tether backing just lost control of its own minting keys. StablR’s EURR and USDR tokens broke their pegs on Ethereum on May 24 after an attacker seized minting authority and printed millions in unbacked supply.
The attack did not touch a single line of smart contract code. It was a governance failure, plain and simple.
Blockchain security firm Blockaid flagged the exploit live, posting a community alert that its detection system had caught an ongoing attack on StablR. Approximately $2.8M had been extracted at the time of the alert. Both EURR and USDR were already depegged.
One Key. Full Control.
The minting multisig protecting StablR’s token issuance ran on a 1-of-3 threshold. One compromised private key was all it took.
As Blockaid posted on X, the suspected root cause was a private key compromise of a single minting multisig owner. The attacker moved through the governance structure in four steps: added their own wallet as a signer, removed the two legitimate owners, then minted 8.35 million USDR and 4.5 million EURR. Combined face value: approximately $10.4 million. None of it had collateral behind it.
Thin liquidity on the DEXes limited what the attacker could actually realize. Swapping $10.4M in face value through shallow pools, they pulled out 1,115 ETH — roughly $2.8M in real terms, the exchange confirmed.
The impact on prices was immediate. USDR dropped from $1.00 to somewhere between $0.72 and $0.83. EURR fell from €1.00 to approximately €0.90-€0.91, per on-chain data at the time of publication. Both tokens remained in heavy volatility with no freeze or compensation details announced.
The MiCA Problem No One Is Talking About
This is where StablR’s situation gets unusual. The project is Malta-regulated, holds an Electronic Money Institution license, and operates under the EU’s Markets in Crypto-Assets framework. It claims 1:1 fiat backing with reserves held at segregated accounts in institutional-grade custodians.
Tether invested in StablR in late 2024 to push stablecoin adoption across Europe.
None of that prevented a 1-of-3 multisig from controlling the entire minting function. A European retail holder of EURR, someone who chose the token specifically because it carried regulatory credibility, woke up to a 10%+ depeg with no freeze mechanism triggered and no compensation pathway announced.
As coinminutes_en posted on X, this was a classic admin key compromise — not a novel attack vector. The attacker used a setup that was, by the account’s summary, far too weak for a stablecoin handling millions.
StablR Acknowledges the Breach
StablR’s official account posted on X confirming an identified exploit was underway.
“We have identified an exploit affecting StablR and are actively working to contain it and minimize impact. Protecting our users and your funds is our top priority. We’ll share verified details and next steps as soon as possible.”
No timeline was given. The attacker had already withdrawn the ETH by the time that statement went out.
Blockaid was clear about the classification: this was not a smart contract bug. It was a key management and governance failure. The minting threshold was misconfigured from the start.
May 2025 has already logged over a dozen major DeFi exploits, per DeFiLlama data. A similar breach hit Resolv earlier in the year using near-identical mechanics, where a single insufficiently protected key enabled minting at scale. StablR follows that same pattern.
The question for holders now is whether MiCA licensing and proof-of-reserves reporting carry any operational weight when the keys controlling supply are this exposed. That answer has not come yet.
