On the morning of May 24, 2026, security firm Blockaid detected an active exploit targeting StablR. The attack knocked both stablecoins off their pegs: euro-backed EURR dropped 23%, and dollar-backed USDR fell 30%. StablR's official X account had not posted any statement at the time of writing.
From One Compromised Key to Full Minting Control
The attacker found a weak point in the access setup. StablR's minting multisig ran on a 1-of-3 threshold, meaning a single signer was enough to authorize any operation. Blockaid, which detected the exploit, confirmed that one of those three keys was compromised. The cause of the key loss has not been disclosed.
Once in, the attacker moved fast. They added themselves to the multisig owner list, removed the other two signers, and gained sole control over the minting mechanism. From there, 8.35 million USDR and 4.5 million EURR were minted, totaling roughly $10.4 million at market rates at the time of the attack.
Thin liquidity in DEX trading pools cut into the actual take. Converting all the tokens at fair value proved impossible. The attacker received 1,115 ETH and walked away with around $2.8 million. More than $7 million stayed stuck in pools as devalued tokens. Thin liquidity limited the real outflow, though that provides little comfort to EURR and USDR holders.
EURR and USDR Prices After the Attack
EURR, the euro stablecoin with a $14 million market cap, traded around $1.15 before the attack, in line with the current EUR/USD rate. CoinGecko recorded a drop to $0.88 after the exploit, a fall of 23%. For a stablecoin, any deviation beyond 2-3% is a warning sign. A 23% move means the asset has effectively stopped functioning as a stable store of value and is trading like a regular risk token.
USDR performed even worse. The dollar stablecoin, with an $11 million market cap, fell to $0.70, down 30% from its peg. Anyone holding $10,000 in USDR saw the value drop to $7,000 with no action on their part.
By comparison, the UST collapse in 2022 was caused by a structural flaw in the algorithmic design. In StablR's case, the actual reserves stayed intact in segregated bank accounts. That leaves a theoretical path to restoring the peg if the team fixes access controls and announces a clear recovery plan. The market is waiting for that signal, and until it comes, selling pressure is unlikely to ease.
Key Management Failure, Not a Code Bug
Blockaid drew a clear line around the nature of the vulnerability.
"This is not a smart contract bug. It is a key management and governance failure."
- Blockaid, report from May 24, 2026
StablR's code has no known flaws. The problem is how the team configured administrative access. A 1-of-3 threshold is acceptable for low-stakes or test operations. For a protocol managing tens of millions of dollars, the standard calls for at least 3-of-5 or 4-of-7 signers. At that configuration, losing a single key gives an attacker no real leverage over minting.
The attacker also changed the signer list with no delay. Standard practice requires any change to the multisig configuration to pass through a 24-to-72-hour timelock. That window gives monitoring systems time to catch unusual activity and block a transaction before it executes. Public dashboards tracking multisig activity in real time are common in mature protocols. StablR had neither.
May 2026: A Month of Private Key Attacks
StablR is not the only target this month. DeFiLlama counted more than a dozen major DeFi incidents in May. Among those hit by compromised keys:
- THORChain: a malicious node and a bug in the GG20 algorithm gave attackers access to protocol funds
- Polymarket: a wallet top-up exploit drained over $600K
- Echo Bridge and Wasabi Perps: compromised admin keys handed attackers administrative control
- Verus Bridge: the attacker returned $8.5M after a bounty offer
The pattern is the same across most of these cases: the smart contract code is correct. The way in is through the person or process holding a privileged key, not through the code itself. That shifts what due diligence needs to cover. Reviewing a code audit is now table stakes. Finding out who holds the signing keys, under what threshold, and with what delay on critical operations is far harder. Most projects do not disclose this publicly.
Regulated Does Not Mean Protected
StablR positioned itself as a regulated euro stablecoin issuer. Reserves were held in segregated accounts at top-tier banks, with proof-of-reserves confirming transparency. Tether, the world's largest issuer of USDT, invested in StablR in December 2024. That deal raised market confidence in EURR and USDR and brought in institutional buyers.
This exploit shows the gap between regulatory compliance and actual operational security. MiCA sets standards for reserves, reporting, and licensing. It does not specify a multisig threshold or require timelocks on administrative operations. That gap is now public knowledge, thanks to the StablR attack.
For holders of euro stablecoins, the practical takeaway is clear: a regulated status and solid code are necessary but not sufficient. The governance access architecture matters just as much. Who are the signers? How many are required? Is there a timelock on critical operations? If a project does not publish that information, the risk is real regardless of any license it holds.
Comments
Your email address will not be published. Required fields are marked *