European stablecoin issuer StablR suffered a major exploit on Sunday after a compromised private key in its minting multisig contract allowed an attacker to mint millions of tokens. The two stablecoins, EURR (euro-pegged) and USDR (dollar-pegged), lost their pegs sharply, with EURR dropping 23% from $1.15 to $0.88, and USDR falling 30% to $0.70.
On-chain investigator ZachXBT first raised the alarm on Telegram, reporting that two StablR-related contracts were being drained for roughly $10 million. He shared a list of attacker addresses and later said he helped freeze six figures while the attack was still active and the StablR team appeared unresponsive. Blockchain security firm Blockaid independently detected the ongoing exploit and linked it to a weak 1-of-3 multisig setup. The attacker used the compromised key to add themselves as an owner, remove other owners, and mint 8.35 million USDR and 4.5 million EURR tokens.
Despite the minted tokens having a face value of about $10.4 million, thin liquidity on decentralized exchanges meant the attacker only received 1,115 ETH — approximately $2.8 million. StablR, which holds an EMI license from the Malta Financial Services Authority and claims MiCA compliance, had not issued a public statement at the time of reporting. Tether, which invested in StablR in December 2024, has not commented either.
The incident adds to a wave of DeFi exploits in May 2025, with more than a dozen major hacks recorded, including THORChain, Verus Bridge, and Polymarket. In many cases, key management failures were the root cause, highlighting systemic risks in multisig governance.
