StablR's EURR and USDR depeg after attacker mints $13.5 million in unbacked tokens through multisig exploit

Stablecoins issued by Tether- and Kraken-backed European stablecoin issuer StablR lost their pegs Saturday night and into Sunday morning ET, after an attacker took administrative control of the issuer's minting contract and printed millions in fresh tokens before dumping them on decentralized exchanges.

Onchain investigator ZachXBT flagged the incident publicly at 9:46 PM ET Saturday, posting to his investigations channel that two contracts tied to StablR appeared to have been potentially exploited for around $10 million across EURR and USDR. He noted that the attacker's wallet had been funded via Circle's Cross-Chain Transfer Protocol (CCTP) on Noble.

In a follow-up at 11:52 PM ET Saturday, ZachXBT said he had helped freeze a six-figure sum of the stolen funds. He added that the StablR team appeared to be "asleep" while the attack remained active more than three hours in.

Blockchain security firm Blockaid attributed the breach to a private key compromise affecting one signer on StablR's minting multisig, which was secured by just a 1-of-3 signature threshold. The attacker added themselves as an administrator, replaced the existing owners, and minted 8.35 million USDR and 4.5 million EURR (for a total value of about $13.5 million) in the first hours of the attack, per Blockaid.