StablR EURR Depegs to $0.85 After Multisig Key Breach

Malta-based stablecoin issuer StablR experienced a security incident on Sunday, May 24, after an attacker obtained control of a single private key tied to a 1-of-3 multisig wallet used for token issuance. The attacker minted unbacked EURR and USDR tokens and moved funds from the protocol, extracting roughly 1,115 ETH, about $2.8 million.

On-chain analysts estimated the attacker created about 4.5 million EURR and 8.35 million USDR before selling the tokens on decentralized exchanges with thin liquidity. The face value of unbacked tokens that reached secondary markets may have totaled as much as $10.4 million, though the on-chain ETH withdrawn is reported at about 1,115 ETH.

Reports indicate the incident was not caused by a smart contract flaw. With control of the private key that governed the multisig, the attacker allegedly removed legitimate signers, added an address they control and executed minting operations without collateral backing. The newly minted tokens were sold into DEX trading pairs, creating heavy selling pressure on both pegs.

EURR fell to $0.85, down roughly 24% from parity. USDR traded as low as $0.40 intraday and was around $0.64 later in the day. Both tokens weakened against the U.S. dollar, bitcoin and ethereum. Major dollar stablecoins such as USDT and USDC were not affected and the wider stablecoin market showed limited contagion.

StablR posted on X at 8:10 a.m. ET: “Security update: We have identified an exploit affecting StablR and are actively working to contain it and minimize impact. Protecting our users and your funds is our top priority. We’ll share verified details and next steps as soon as possible.” Security firm Blockaid called the event a “key management and governance failure.” A user on X noted that EURR issuance used a 1-of-3 multisig implementation rather than a different multisig standard and said the attacker replaced signers before minting and transferring tokens. The user also referenced StablR’s prior statements that it uses a tokenization platform for EURR issuance.

StablR markets EURR as a euro‑pegged stablecoin and USDR as a dollar‑pegged token and presents both as regulated under the EU Markets in Crypto‑Assets (MiCA) framework with proof-of-reserves disclosures. Observers pointed out MiCA did not appear to require specific operational controls such as higher multisig thresholds, time-locks on minting, rate limits or automated anomaly detection.

Community loss estimates ranged from the value of withdrawn ETH to the larger face value of tokens sold on secondary markets. StablR had not published a technical postmortem or a recovery timeline in its initial statement. Holders of EURR and USDR are advised to monitor StablR’s official channels for any updates on burns of unbacked supply, reserve replenishment or compensation measures.