Key Takeaways
- StablR’s EURR and USDR stablecoins depegged after a $2.8 million exploit on May 24
- A compromised multisig key let the attacker mint over $10.4 million in new tokens
- StablR holds a MiCA license and an EMI license from Malta, regulation did not prevent the exploit
StablR is not a DeFi wild west project. It holds an Electronic Money Institution license from Malta’s financial regulator. It operates under the EU’s Markets in Crypto-Assets Regulation. It received a strategic investment from Tether in late 2024.
It was also protected by a 1-of-3 multisig where a single compromised key handed the attacker full control of the minting contract.
One key. That is all it took.
🚨Community Alert
Blockaid’s exploit detection system has identified an ongoing exploit on @StablREuro.~$2.8M extracted so far.
Both tokens are depegged: 0x50753cfaf86c094925bf976f218d043f8791e408 (StablR Euro)
and
0x7b43e3875440b44613dc3bc08e7763e6da63c8f8 (StablR USD) on…— Blockaid (@blockaid_) May 24, 2026
What Happened
Blockchain security firm Blockaid flagged an ongoing exploit on StablR early Saturday morning. The attacker had compromised one of three authorized keys on the minting multisig governing StablR’s token issuance on Ethereum.
With that single key, the attacker added their own address as an owner, removed the two legitimate signers, and gained full unilateral control of the minting contract. They then minted 8.35 million USDR and 4.5 million EURR, a combined face value of roughly $10.4 million at peg.
Both tokens lost their pegs immediately. EURR fell roughly 20% on tracked Ethereum liquidity. USDR also lost its dollar peg as sell pressure overwhelmed available pools.
EURR drops 24.9% from $1.15 to $0.8694 in minutes after the attacker minted 4.5 million tokens through a compromised multisig key. Note the GoPlus proxy contract warning visible on CoinGecko. Source: CoinGecko
The attacker’s actual haul was limited by thin liquidity on decentralized exchanges. Swapping $10.4 million in freshly minted tokens into shallow pools yielded only about 1,115 ETH, worth roughly $2.8 million. Blockaid was direct about the cause: “This is not a smart contract bug. It is a key management and governance failure.”
The 1-of-3 Problem
This is the detail that matters. A 1-of-3 multisig means any single one of three authorized parties can act alone. The threshold is so low that compromising one key is equivalent to compromising the entire system. There is no redundancy. There is no check. One bad actor, one phishing email, one leaked private key, and full minting authority transfers instantly.
For a protocol issuing regulated stablecoins under MiCA, with an EMI license from Malta’s financial regulator and a Tether strategic investment on the balance sheet, choosing a 1-of-3 multisig is a governance decision that a first-year developer would flag in a code review.
The regulatory credibility of the project and the security of its key management structure were not aligned. That gap is what the attacker walked through.
This Is Not a New Pattern
We covered the MAPO bridge exploit last week where a spoofed cross-chain message allowed unauthorized minting that crashed the token 95%. The mechanism was different but the underlying failure was the same, inadequate validation of who has authority to mint.
A similar Resolv stablecoin breach earlier in 2026 used near-identical mechanics. A single insufficiently protected key enabled minting at scale. The pattern is consistent: projects launch with sophisticated smart contract architecture and then secure the keys controlling that architecture with governance structures that would not pass a basic security audit.
DeFi infrastructure risk is the persistent unsolved problem underlying all of this. The SEC’s Innovation Exemption is designed to bring tokenized assets onto regulated blockchain infrastructure. The GENIUS Act stablecoin bill just failed a Senate floor vote. Both of those regulatory developments assume that the infrastructure layer is secure enough to carry regulated financial products. The StablR exploit is a live demonstration of how far that assumption is from reality.
The Tether and MiCA Question
StablR’s regulatory and financial ties create obligations that a purely DeFi project would not face. Tether’s strategic investment and MiCA licensing mean there are counterparties and regulators with formal relationships to this project. How those ties factor into any recovery or compensation response has not yet been disclosed.
What is clear is that regulatory credentials did not prevent the exploit. A MiCA license and an EMI authorization are not security audits. They certify compliance with financial regulation. They do not certify that the keys controlling your minting contract are adequately protected.
The regulated stablecoin sector is learning a painful lesson that DeFi learned years earlier: compliance and security are two different things. Having one does not give you the other.
What to Watch
StablR has not yet issued a formal statement on recovery steps, compensation, or whether the compromised key has been revoked and the contract paused. Until an official update arrives, avoid interacting with EURR and USDR on any platform.
The broader question is whether Malta’s MFSA and the EU’s MiCA enforcement framework have the tools to respond to an exploit of a licensed issuer. The answer to that question will shape how seriously the next generation of regulated stablecoin issuers takes key management security.
