StablR Exploit Drains $2.8M, Malta Issuer Says EURR and USDR Depeg

StablR, a Malta-based stablecoin issuer, said it identified an exploit affecting StablR and was working to contain it after an attacker exploited a weak multisig configuration to mint millions of unbacked EURR and USDR tokens and dump them on decentralized exchange platforms.

“Malta-based stablecoin issuer StablR suffered a security incident on Sunday, after an attacker exploited a weak multisig configuration to mint millions of unbacked EURR and USDR tokens and dump them on decentralized exchange ( DEX) platforms”

Bitcoin News

Reuters’ figures cited losses of roughly $2.8 million in ETH extracted, while other reporting described a wider range of unbacked token issuance and depegs, including EURR dropping to $0.85 and USDR falling between $0.40 to $0.64 on May 24.

Bitcoin News

The DeFi-focused reporting tied the attack to a 1-of-3 multisig threshold that let an attacker hijack minting controls, and it said the attacker gained access to a single private key controlling the minting function.

Blockaid described the incident as a key management and governance failure rather than a smart contract bug, and it said the attacker removed legitimate signers, added a controlled address, and issued tokens without collateral backing.

StablR said in an X post at 8:10 a.m. ET on Sunday, “Security update: We have identified an exploit affecting StablR and are actively working to contain it and minimize impact.”

Blockaid’s automated detection system and on-chain monitoring accounts were cited as flagging the exploit, with Blockaid saying it identified an ongoing exploit on StablR Euro and that roughly $2.8M had been extracted so far.

The reporting described how the attacker added their own address as an authorized owner while simultaneously removing legitimate owners, then minted 8.35 million USDR and 4.5 million EURR.

Blockonomi

After minting, the attacker swapped the freshly minted tokens worth around $10.4 million on decentralized exchange platforms for just 1,115 ETH or around $2.8 million, with thin liquidity cited as the reason for the lower realized value.

ZachXBT posted that two contracts related to European stablecoin issuer StablR “appear to have been potentially exploited for ~$10M (EURR & USDR),” and he later said, “I have helped freeze 6 figures,” while the attack kept running.

TradingView’s coverage also quoted StablR’s X post at 12:10 p.m. UTC: “We have identified an exploit affecting StablR and are actively working to contain it and minimize impact.”

The depegs were reported as sharp and fast, with EURR falling from its $1.15 peg to $0.88 and USDR dropping to $0.70, and the same reporting said both tokens were still depegged as of press time.

“Table of Contents StablR, a regulated stablecoin issuer, fell victim to a major security breach on Sunday, with hackers draining approximately $2”

Blockonomi

The Blockonomi account said the extracted value was reported at roughly 1,115 ETH, equivalent to approximately $2.8 million, while other estimates put total unbacked token issuance at $10.4 million, reflecting different loss calculations.

The Defiant’s account said StablR had yet to announce a recovery plan or provide an updated assessment of total losses, and it said users holding EURR or USDR were advised to proceed with caution.

Clean Clothes Campaign’s spokesperson is not part of this crypto incident, but the crypto-specific reporting emphasized that the attack fit a pattern where administrative control rather than contract code is the point of failure, with Blockaid calling out the 1-of-3 threshold.

The incident also raised questions about regulatory oversight under MiCA, and the Bitcoin News account said the MiCA regulatory framework “does not appear to have required the operational controls that would have prevented this attack.”