StablR’s EURR and USDR stablecoins lost their pegs on May 24, 2026, after an attacker reportedly gained control of minting permissions and extracted about $2.8 million through decentralized exchange swaps. Blockchain security firm Blockaid said the incident was tied to a compromised private key in StablR’s minting multisig, not a conventional smart-contract bug.
The attacker allegedly exploited a 1-of-3 multisig configuration, meaning one compromised signer was enough to take control of the minting setup. According to Blockaid’s account, the attacker added themselves as an owner, removed the two other legitimate owners, then minted 8.35 million USDR and 4.5 million EURR before selling into thin liquidity.
Security update: We have identified an exploit affecting StablR and are actively working to contain it and minimize impact.
Protecting our users and your funds is our top priority.
We'll share verified details and next steps as soon as possible.
— StablR (@StablREuro) May 24, 2026
Minting Control Became the Attack Surface
The most important distinction is that the failure appears to have occurred at the administrative-control layer, rather than through a flaw in the token contracts themselves. Blockaid described the root cause as a key-management and governance failure, with the low multisig threshold allowing one private-key compromise to escalate into full issuance control.
🚨Community Alert
Blockaid's exploit detection system has identified an ongoing exploit on @StablREuro.~$2.8M extracted so far.
Both tokens are depegged: 0x50753cfaf86c094925bf976f218d043f8791e408 (StablR Euro)
and
0x7b43e3875440b44613dc3bc08e7763e6da63c8f8 (StablR USD) on…— Blockaid (@blockaid_) May 24, 2026
The newly minted tokens carried a much larger face value than the attacker ultimately realized. Blockaid-linked reporting said the exploiter swapped about $10.4 million in freshly minted assets but received only 1,115 ETH, worth roughly $2.8 million, because available DEX liquidity was too shallow to absorb the supply at peg.
The selling pressure pushed both stablecoins away from their intended values. Reports cited EURR falling to the $0.85 to $0.88 range and USDR trading well below $1 during the incident, making the depeg a direct market consequence of unauthorized issuance and liquidity stress.
Compliance Did Not Eliminate Operational Risk
StablR’s own materials describe EURR and USDR as fiat-backed stablecoins and state that the issuer is an Electronic Money Institution authorized by the Malta Financial Services Authority. The company also says its reserves are held with regulated financial institutions, but reserve disclosures and licensing did not prevent a privileged-key failure in the minting flow.
The incident is especially sensitive because StablR had positioned itself inside Europe’s regulated stablecoin market. Tether announced a strategic investment in StablR on Dec. 17, 2024, while StablR has said it secured its EMI license in July 2024 as part of its European stablecoin framework.
At this stage, the confirmed narrative remains narrower than the broader market reaction: a minting-key compromise reportedly enabled unauthorized EURR and USDR issuance, the attacker extracted about $2.8 million in ETH, and both tokens depegged during the selloff. The unresolved questions are how the key was compromised, whether any additional administrative controls failed, and what remediation StablR will implement before confidence in the affected pairs can recover.