Opening
On 24 May 2026, StablR’s EURR and USDR stablecoins reportedly lost peg after an exploit involving unauthorised minting on Ethereum. ForkLog reported that Blockaid flagged at least $2.8 million in extracted value, while the nominal value of the minted assets was reported at roughly $10.4 million: 8.35 million USDR and 4.5 million EURR.
Early analysis caveat
At drafting time, no official StablR incident report or postmortem has been verified. Root cause therefore remains pending until StablR confirms it directly. Public reporting points to a key-management and governance failure rather than a smart contract logic bug in the EURR or USDR token contracts themselves.
Reported attack path
According to ForkLog, the attacker compromised one multisig owner key, then used that initial foothold to add themselves as an owner and replace two legitimate participants. With control of the owner set, they used the mint path to issue new EURR and USDR. If that sequence is confirmed, the binding failure is that a 1-of-3 owner threshold could control the mint path, which is a single point of failure with one path controlling material value.
Cryptonews reported on ZachXBT’s attacker cluster, naming 0xea480c23d7b29a515856aafe0dc86f7519965a04 as the main attacker address and citing seven linked addresses. The same coverage reports that the attacker wallet was first funded through CCTP on Noble, and that a six-figure amount was subsequently frozen.
Nominal minted value vs realised extraction
The reported nominal value of the unauthorised mint is roughly $10.4 million, but realised extraction is reported at approximately $2.8 million. This gap is consistent with limited on-chain liquidity for EURR and USDR: a stablecoin attacker can mint into the contract’s namespace freely, but converting those minted units into hard value requires depth in pools, market makers, or off-ramps that did not exist at $10.4 million of scale. Realisable value, not minted value, is the figure that matters for actual loss.
Confirmed vs pending
| Field | Status | Detail |
|---|---|---|
| Incident date | Reported | 24 May 2026 |
| Affected assets | Reported | EURR and USDR on Ethereum |
| Realised loss | Reported | At least $2.8 million, per ForkLog quoting Blockaid |
| Nominal minted value | Reported | ~$10.4 million (8.35M USDR + 4.5M EURR) |
| Root cause | Pending official confirmation | Compromise of a multisig owner key and replacement of co-owners, per public reporting |
| Official postmortem | Pending | No StablR postmortem verified at drafting time |
Technical evidence and explorer links
The following addresses appear in public reporting. They are reproduced here as reported and have not been independently verified by Security4Web3.
- EURR contract:
0x50753cfaf86c094925bf976f218d043f8791e408 - USDR contract:
0x7b43e3875440b44613dc3bc08e7763e6da63c8f8 - Main reported attacker address:
0xea480c23d7b29a515856aafe0dc86f7519965a04 - Reported funding route: CCTP on Noble.
What to watch next
- An official StablR statement and postmortem confirming whether the entry point was an owner key compromise, governance UI compromise, or a different vector.
- The mint transaction hashes and the full set of addresses in the attacker cluster, so the realised value path can be reconstructed end to end.
- Centralised exchange and bridge responses: how much of the extracted value remains frozen, how much was off-ramped, and how much is still in attacker control.
- Whether EURR and USDR holders are made whole, partially compensated, or left to recover via market mechanisms.
What defenders can take from this
The mint path is the crown jewel of any stablecoin issuer. Token-level controls that allow a small multisig to mint without a timelock, without an external policy engine, and without per-window caps will always be the most attractive target. The blast radius of a compromise scales with the supply the keys can create, not just the balance they can move.
Owner-replacement should be a separately governed action. If the same threshold that can sign a mint can also rotate the owner set, an attacker who reaches that threshold once can keep it indefinitely. Separating the role-administration path from the operational path, with longer timelocks on role changes, is one of the cheapest hardening steps available.
Detection has to be wired to the contract, not the dashboard. Anomalous mint events, sudden owner changes, and unusual outbound transfers from issuer-controlled addresses are all observable on-chain in real time. Issuers that rely on social-media reports to learn about their own compromise have already lost the response window.
Sources
- ForkLog, “StablR’s EURR and USDR stablecoins lose peg after $2.8 million hack”
- Cryptonews, ZachXBT attacker cluster coverage
If you issue or custody stablecoins, the question is not whether your contracts are audited, it is whether the privileged paths around them can survive the compromise of any single key or signer. Security4Web3 can help you review mint and burn authority, multisig owner governance, and the monitoring and response controls that decide how much of an incident becomes a realised loss.