Home
News
Details

StablR Stablecoin Depegs Following Attack, Over $3 Million Lost

iconOdaily
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
The stablecoin protocol StablR suffered a security breach on May 24, causing a 20% depeg of EURR and USDR due to illegal mass minting. Attackers exploited a single-signature vulnerability in multisig wallets, draining over $3 million. Beosin traced the exploit to poor operational security, including weak key management and the absence of time locks for high-risk operations. A total of 8.35 million USDR and 4.5 million EURR were minted, with the stolen funds distributed across multiple wallets and transferred to Kraken, Huobi, and WhiteBIT. The incident underscores the urgent need for a protocol update to prevent similar attacks.

Source: Beosin

On May 24, the stablecoin protocol StablR was attacked, causing its compliant euro stablecoin EURR and dollar stablecoin USDR to sharply depeg due to illegal mass minting, with declines of up to 20%, resulting in actual losses exceeding $3 million. The attack stemmed from a loss of control over multisignature permissions, once again sounding an alarm for the entire stablecoin industry regarding security governance.

Image

Attack flow analysis

StablR is a Malta-based stablecoin issuer that previously received a strategic investment from Tether, which also provided StablR with stablecoin issuance and risk management tools through its Hadron tokenization platform. StablR has now launched two compliant stablecoin products: EURR and USDR.

By analyzing on-chain data, we can observe:

The multisig wallet controlling EURR minting is 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc

The multisig wallet controlling USDR minting is

0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3

Since the above multisig wallets require only one signature to initiate a transaction, the attacker, by controlling the owner address 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d, added the attacker’s address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 to the above two multisig wallets:

Image

Related transaction hash:

(1) 0x41c2504e208a3f260b2564393938b6e68f7348f5fcb8df00cde41f800f073c8a

(2) 0x5b5825ca36f4cdad02b1c777df63115e63010de77de71dba0ac60160c18100de

Through the above process, we can see that this incident is not about a code vulnerability, but rather an operational security issue with the stablecoin issuer: the private key for the privileged address was not properly secured, high-threshold multisig was not used for high-value/high-risk operations, time locks were not implemented for large-scale minting, and there was no rapid incident response mechanism in place.

After gaining minting privileges on the attacker’s address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1, the attacker began large-scale minting and sent the minted stablecoins to multiple addresses:

Image

According to Beosin, a total of 8.35M USDR and 4.5M EURR have been minted. Relevant minting query link: https://etherscan.io/advanced-filter?fadd=0x0000000000000000000000000000000000000000&tadd=0x0000000000000000000000000000000000000000&tkn=0x7b43e3875440b44613dc3bc08e7763e6da63c8f8%2c0x50753cfaf86c094925bf976f218d043f8791e408&ps=50

Analysis of stolen fund flows

The actual loss from this incident exceeded $3 million. After minting, the primary receiving address was:

1、0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1

(This address received a total of 1,000,000 EURR)

2. 0xBb64302c6F039D4aa800CAc93E6E54856958675D

This address has received a total of 4,000,535.33 EURR and 4,610,173.19 USDR; current balance: 324,163.04 USDR and 1,204,098.63 EURR

3. 0xeA480c23D7B29a515856AafE0dc86F7519965a04

(This address received a total of 412.67 ETH, 2,575,966.87 USDR, and 650,000 EURR)

4. 0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb

(This address received a total of 235.92 ETH, 700,000 EURR, and 200,000 USDR)

5. 0x41E63c5d2AE95802868D9ef3686cC974aDA96d0d

(This address received a total of 225.54 ETH, 4,000,000 USDR, and 1,000,000 EURR)

6. 0x873Ef45d10b29EB251b1Eb5Fe057C325f092a80a

(This address received a total of 2,000,000 USDR; current balance: 1,969,000 USDR)

7. 0x8c1957765721e2540c03A0D64435a469a7266c51

This address has received a total of 1,400,000 USDR and 1,400,000 EURR; current holdings: 900,000 EURR and 900,000 USDR.

8. 0x865eC0587CdF305877783C080d97DEdD4f60398f

(This address received a total of 504,000 USDR)

Through Beosin Trace analysis, the illegally minted EURR and USDR were partially transferred to various exchanges, such as ChangeNOW, Kraken, Huobi, and WhiteBIT, via fund dispersion, with a small amount entering the Tornado Cash mixer.

Beosin Trace can trace transactions through mixers such as Tornado Cash, ChangeNOW, Fixedflow, and other instant exchange platforms; the tracing results are shown below:

Image

Image

In addition to funds transferred to centralized exchanges, on-chain fund accumulation is as follows:

1. 0x09be1a36c2d7f9909eb3d6f9184c6e46a12b0aca

Locked amount: 1,488.08 ETH

2. 0x464545b1f001ec64f93a31a8e678bfbd3146ef3f

Locked amount: 510,673.98 USDR, 44,000 EURR

3. 0x9c25a3634fa04a8bac72e233c74469d5e15c5926

Locked amount: 85.21 ETH, 15,263.22 USDT, 101,241.95 EURR

4. 0x2e74a82f6dbdfbe8fe54bd081e215c0c368c7762

Locked amount: 8.91 ETH, 26,816.98 USDT, 250,570.03 EURR

5. 0xde7adbb368c2616df8c5c0e986933bee8f660add

Locked amount: 13.65 ETH, 165,162.05 USDT, 38,696.42 USDR, 258,117.67 EURR

6. 0x0bc0b7b24876ac97610346ea0194735ccc271edd

Locked amount: 100 ETH

7. 0xb8d90cffe9fdb398afec7046490d1efdb28a6386

Locked amount: 100,000 USDR

8. 0x7ec05d1d6b0cbf4e74bd5907d01aeeb4343c6376

Locked amount: 15 ETH

The overall fund flow is shown in the figure below:

Image

Stolen Funds Flow Analysis Chart by Beosin Trace

This security incident demonstrates that code audits alone cannot address operational or governance deficiencies. Stablecoin issuers and regulators should consider proactively monitoring the circulation and operations of stablecoins in secondary markets on a risk-based basis. To address this industry pain point, Beosin has launched the Stablecoin Monitoring system, covering the entire lifecycle of stablecoins: this system enables continuous monitoring of key operational metrics such as total issuance, minting and burning activities, distribution of holding addresses, and on-chain transaction flows.

Image

During the circulation phase, Stablecoin Monitoring analyzes price volatility and peg stability to promptly detect depegging risks caused by market manipulation or liquidity crises, addressing attack scenarios such as the mass malicious minting of stablecoins following private key exposure, as seen in the StablR incident; it also has cross-chain activity tracking capabilities to trace fund flows across different blockchains. For counterfeit stablecoins issued on-chain, the system provides real-time monitoring and alerts to help users identify associated fraud risks.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.