StablR’s EURR and USDR stablecoins lost their pegs on May 24, 2026, after an attacker exploited a 1-of-3 multisignature setup to seize administrative control of minting contracts. The breach allowed millions of unbacked tokens to be minted, triggering forced swaps into ETH and severe price dislocations across decentralized markets.
The incident is especially significant because StablR operated as a MiCA-registered, Malta-licensed Electronic Money Institution with institutional backing. The exploit exposed an operational security gap that regulatory status alone did not prevent, raising questions about how stablecoin oversight treats privileged on-chain access.
Security update: We have identified an exploit affecting StablR and are actively working to contain it and minimize impact.
Protecting our users and your funds is our top priority.
We'll share verified details and next steps as soon as possible.
— StablR (@StablREuro) May 24, 2026
A Single Compromised Signer Enabled Contract Control
On-chain reporting indicates that the attacker compromised one signer in a 1-of-3 multisig, added their own address as an owner and removed legitimate signers. That administrative takeover gave the attacker direct minting power, without requiring a smart-contract coding flaw.
The attacker then minted 8.35 million USDR and 4.5 million EURR. Those unbacked tokens carried a reported face value between roughly $10.4 million and $13.5 million, far above what available liquidity could absorb.
Liquidity conditions limited the attacker’s realized proceeds but amplified market damage. The exploiter swapped the newly minted tokens on decentralized exchanges, extracting about $2.8 million to $3.15 million, or roughly 1,115 ETH by reported figures.
The peg impact was immediate. EURR fell to about $0.70 while USDR dropped to roughly $0.40, representing sharp dislocations for stablecoins that were supposed to maintain euro and dollar parity.
Compliance Status Did Not Prevent Operational Failure
The attacker’s control also enabled targeted actions against legitimate wallets. Reporting indicates that about 2.7 million EURR tied to a routine redemption wallet was blacklisted and burned, with the loss reported near $2.4 million.
StablR’s regulatory positioning now sits at the center of the debate. MiCA and DORA emphasize reserves, disclosures and ICT resilience, but they do not prescribe specific on-chain key-management standards or multisig threshold requirements.
That distinction matters because the failure was operational, not a conventional smart-contract exploit. A single compromised key was enough to take over privileged minting controls, showing how weak governance architecture can defeat otherwise regulated stablecoin structures.
The breach was first flagged on-chain by ZachXBT, while traces show suspicious activity continued for more than three hours. StablR’s public acknowledgement came roughly eight hours after the activity stopped, highlighting gaps in monitoring and incident response.
The practical lesson is clear: peg integrity depends on governance security as much as reserves. Limited DEX liquidity can magnify losses when unbacked supply enters the market, especially for niche stablecoins with thinner secondary markets.
The incident is likely to increase pressure for technical standards around privileged access. Regulators and issuers may now face calls for stricter multisig thresholds, stronger key custody rules and faster incident-response obligations for regulated stablecoins.
