StablR Hack 2026 — $3M Exploit Analysis

StablR stablecoin minting contract exploited via compromised 1-of-3 multisig key, minting $13.5M in unbacked tokens

Details

Full Description

On June 18, 2026, StablR's EURR and USDR stablecoins lost their pegs after an attacker exploited a 1-of-3 multisig wallet tied to the project's minting contract. The attacker minted roughly 8.35 million unbacked USDR and 4.5 million EURR - tokens with a combined face value near $13.5 million - then dumped them across decentralized exchanges for approximately 1,115 ETH (~$2.8 million in profit amid heavy slippage). The root cause was straightforward: an attacker gained control of one private key belonging to a multisig signer. With just 1-of-3 approval required for the minting admin role, that single key was enough to remove legitimate owners, add their own wallet, and authorize unlimited issuance with zero collateral. StablR operates as a Malta-licensed Electronic Money Institution (EMI) and positions itself as fully MiCA-compliant, with backing from Tether. Unlike algorithmic failures such as Terra's UST collapse, StablR's underlying fiat reserves appear untouched - the depeg stems purely from artificial oversupply hitting the secondary market.

Laundering Analysis

The attacker operated from Ethereum address 0xea480c23d7b29a515856aafe0dc86f7519965a04. The exploit unfolded overnight in European time zones. The attacker swapped freshly printed tokens and withdrew ETH proceeds. Some six-figure amounts were later frozen by security teams, but the bulk of the realized gain had already left the ecosystem. The attacker moved quickly to convert unbacked stablecoins into ETH before freeze actions could be taken.

Sources

Related Hacks

Back to Browse