TL;DR:
- StablR suspended USDR and EURR operations after an attack that allowed minting approximately $13.5 million in tokens without the required backing.
- A flaw in the 1-of-3 multisig wallet configuration allowed attackers to compromise one key and remove the legitimate signers.
- The tokens lost up to 50% of their peg; USDR trades at $0.994 and EURR at $0.548, well below their anchor.
StablR, a Malta-based European stablecoin issuer, suspended minting and redemption services for its USDR and EURR tokens after a cyberattack left the assets without the full backing required by regulation. The company confirmed the situation through an official statement after detecting “irregularities” in its systems, once internal alerts triggered an investigation.
Onchain investigator ZachXBT was the first to make the exploit public over the weekend, pointing out that two contracts linked to StablR’s stablecoins appeared to be compromised. The firm responded by freezing operations and asking exchanges to halt trading, deposits and withdrawals of both tokens. According to CoinGecko data, USDR has a market capitalization of $20 million and EURR of $10 million.
StablR Fell for a Costly Design Vulnerability
Blockchain security firm GoPlus Security identified the attack vector: the wallet used for minting was configured with a 1-of-3 multisig threshold, meaning that any of the three authorized owners could approve transactions individually.
The attackers compromised a single key, added themselves as administrators, removed the legitimate signers and proceeded to mint approximately 8.35 million USDR and 4.5 million EURR, equivalent to around $13.5 million in unbacked tokens at peg value. Low liquidity on decentralized exchanges limited their actual gain to approximately $2.8 million after liquidating the newly minted supply.
EURR Has Yet to Recover Its Peg
The company acknowledged that the circulating supply of both tokens “is currently not fully backed at the 1:1 ratio” required by the European Union’s Markets in Crypto-Assets regulation, known as MiCA. StablR stated it will notify the Malta Financial Services Authority under the rules of the EU’s Digital Operational Resilience Act. External cybersecurity firms and law enforcement agencies are also participating in the investigation.
CEO Gijs op de Weegh stated that the company is acting “with full transparency” while the process continues. Although the tokens began recovering part of their peg, EURR remains at $0.548, well below the euro’s current value of $1.16.
