European stablecoin issuer StablR was hit by multiple signature attacks from the evening of May 24 to the early hours of May 25. The attacker minted 8.35 million USDR and 4.5 million EURR within about 3 hours by stealing 1/3 multisig private keys of the minting contract, and then sold them on a decentralized exchange, causing EURR to drop to about $0.85 and USDR to drop to about $0.64.
The technical mechanism of the attack: how the 1/3 threshold multisig was breached
Blockaid confirmed that the technical root cause of this attack was the leakage of a private key of one of the signers in StablR’s minting multisig mechanism. StablR’s minting function uses a 1/3 multisig scheme (one-third signature threshold), meaning minting can be executed with approval from just one of the three authorized signers. By the leaked private key, the attacker: added itself as an administrator; replaced the original legitimate owner(s); completed unauthorized minting of 8.35 million USDR and 4.5 million EURR within 3 hours.
The attacker also additionally used the obtained administrative control to blacklist and destroy tokens held by at least one legitimate counterparty—the on-chain record confirms at least one destruction of about 2.7 million EURR (about $2.4 million). These tokens came from a wallet that had been performing routine redemptions with StablR for months. The attacker’s wallet topped up its initial funds via Circle’s cross-chain transfer protocol (CCTP) on Noble.
Confirmed data on actual losses and market impact
Blockaid’s analysis confirmed that tokens with a notional value of about $10.4 million were exchanged for ETH on a decentralized exchange, but due to large slippage caused by insufficient liquidity, the attacker’s estimated net profit from the attack was about $2.8 million. As of Sunday morning, the attacker’s concentrated wallet marked as “StablR Exploiter 2” on Etherscan held 1,488 ETH (about $3.15 million). ZachXBT has helped freeze the stolen funds in the six-figure range.
In terms of prices, according to CoinGecko data: the trading price of EURR fell to about $0.85 (the euro-to-dollar peg point is about $1.15, a drop of about 26%); USDR fell to $0.64 (a drop of about 36%). The total supply of euro stablecoins on Ethereum currently accounts for about 0.24% of the total supply of fiat-backed stablecoins on Ethereum.
FAQ
How is the security of the 1/3 multisig signature threshold assessed in the industry, and why is it deemed a design flaw?
The security design principle of multisig (Multisig) is to increase the number of keys an attacker must compromise; the lower the threshold, the easier it is to be compromised. A 1/3 (one-third) threshold means the attacker only needs to control one of the three authorized signers to fully execute high-privilege operations such as minting. Industry comparison: before the 2022 Harmony Horizon bridge was exploited to steal $100 million, it used a 2/5 threshold; at the time, security analysts had already pointed out that this was an insufficient security design. Mainstream multisig solutions such as Gnosis Safe typically recommend a 3/5 or higher threshold for protocol-level high-privilege operations. Blockaid explicitly stated that the 1/3 threshold is a governance and key-management decision issue for StablR, not a vulnerability in the smart contract code itself.
How does StablR’s MiCA compliance background and investments from Tether/Kraken affect this attack event?
MiCA (the Markets in Crypto-Assets regulation) mainly governs stablecoin reserve requirements, issuance eligibility, and risk disclosures; it does not directly impose specific technical requirements on the security architecture of smart contracts. StablR holds an MFSA electronic money institution license and MiCA compliance qualifications, but these regulatory endorsements do not cover security design choices for contract deployment. Tether and Kraken, as strategic investors, were also not directly financially impacted by this event, but the event affected their investment reputation in the European compliant stablecoin market.
How does this attack reflect the overall pattern shift of crypto security threats in 2026?
Blockaid’s analysis and multiple major attack cases in 2026 point to the same trend: the most severely affected incidents that year no longer stemmed from new smart contract code vulnerabilities, but instead from design mistakes in privileged access, governance architecture, and key management. The Drift Protocol incident on April 1 (losses of over $280 million) likewise completed fund transfers via Circle CCTP and involved a privileged-access attack pattern. DeFiLlama data confirms that April 2026 was the month with the highest number of hacker attack incidents in crypto history. StablR’s 1/3 multisig design and Harmony’s 2/5 multisig design both suggest that when protocols scale up, they often prioritize operational convenience over security key redundancy.
