An exploit targeting the stablecoin issuer StablR has resulted in a significant loss, with approximately $2.8 million drained from its reserves. The incident, detected on Sunday by blockchain security firm Blockaid, highlights ongoing vulnerabilities within decentralized finance (DeFi) platforms.
According to Blockaid’s exploit detection system, the breach was made possible by a compromised private key associated with a weak 1-of-3 multisignature account. This security flaw allowed the attacker to gain unauthorized access, adding themselves as an owner and subsequently minting 8.35 million USDR and 4.5 million EURR tokens.
Blockaid characterized the incident as a failure in key management rather than a flaw in the smart contract itself, stating, “This is not a smart contract bug — it’s a key management and governance failure.”
Stablecoins Lose Their Peg
This unauthorized minting led to a rapid depeg of both StablR stablecoins. The euro-backed EURR, which had a market capitalization of $14 million, plummeted by 23% from its $1.15 peg to $0.88. Meanwhile, the dollar-backed USDR, valued at $11 million, experienced a staggering 30% drop, settling at $0.70.
At the time of reporting, both tokens remained significantly depegged, raising concerns among investors and users alike. The exploiter managed to swap the minted tokens on decentralized exchanges, receiving only 1,115 ETH—worth approximately $2.8 million—due to the thin liquidity surrounding these assets.
Reports from blockchain investigator ZachXBT indicated that the total value of the ongoing exploit could reach around $10 million, with the attack still in progress as the news broke on Sunday morning. StablR had yet to release any public updates regarding the exploit on their official channels.
A Surge in DeFi Exploits
May has proven to be a tumultuous month for DeFi, with multiple high-profile exploits reported across various protocols. Data from DeFiLlama reveals that over a dozen significant incidents have occurred this month, including attacks on THORChain, Verus Bridge, Echo Protocol, and Polymarket. A common theme in these breaches has been the compromise of private or administrative keys, rather than inherent smart contract vulnerabilities.
In addition to StablR, other protocols such as Volo Vault and Wasabi Perps have also faced similar key-related exploits. The month also saw the Bitcoin cross-chain bridge, Map Protocol, exploited through a smart contract bug, with attackers minting a quadrillion MAPO tokens, leading to a catastrophic 96% collapse in value.
StablR, which issues regulated stablecoins backed by reserves held in segregated accounts at major financial institutions, received an investment from Tether, the world’s largest stablecoin issuer, in December 2024. However, with the recent exploit, the platform’s legitimacy and security measures are now under scrutiny.
As of now, StablR has not provided any public statement regarding the exploit, leaving stakeholders anxious about the future of their investments and the stability of the platform.
