StablR Governance Crisis: How Attackers Hijacked EURR and USDR
On May 24, 2026, stablecoin protocol StablR was exploited after attackers seized ownership of its token contracts. Large quantities of EURR and USDR were illegally minted and dumped on the market, causing both stablecoins to rapidly lose value and depeg by approximately 20%.
This report analyzes the exploit and traces the flow of stolen funds.
How the Attack Worked
The exploit targeted two of StablR’s stablecoins using the same method. Taking the Gnosis MultiSigWallet contract 0x8278d2881dbf8f6fc01c98d196c4b16f1aade5bc — deployed by StablR USD: Deployer to manage USDR token operations — as a case study:
Below is the full timeline of owner permission changes to that contract.
Issuer Deployment Phase
Date/Time | Transaction Hash | Action | Owner(s) | Required Signatures |
2024-12-17 08:18:35 UTC | 0x6067a49f7a2f25c9a50e5109aa674795f964358a5847b2619d44873ae1102a8c | USDR deployed; initial contract owner set | 0x45d2d0ab86cc96649da23394190a5f57009d305f (StablR USD: Deployer) | 1 of 1 |
2025-12-09 09:52:23 UTC | 0x20308ea6f288e0d7475de1382dc05c67ee8d390c848a42aa34f8c1b6474e075e | New owner added to USDR contract | 0xc73fd562de86d7860ee636c20813bcb2cf4d550d (funded by Deployer) 0x45d2d0ab86cc96649da23394190a5f57009d305f (StablR USD: Deployer) | 1 of 2 |
2025-12-31 13:10:11 UTC | 0xbb6fc12876873015f8be48d381ddc7574340079a6f9901a2782154941b4f3354 | StablR USD: Deployer removed from USDR contract owners | 0xc73fd562de86d7860ee636c20813bcb2cf4d550d (funded by Deployer) | 1 of 1 |
2025-12-31 13:12:47 UTC (2 minutes later) | 0xa546bee14bcc60c74e37ae35f2364c31340bc20fba1656b28136c8ee67e9a5b8 | New owner added to USDR contract | 0xc73fd562de86d7860ee636c20813bcb2cf4d550d (funded by Deployer) 0xd4b6543504df90faba649b80f8f669caffe0ad40 | 1 of 2 |
Attacker Takeover Phase
Date/Time | Transaction Hash | Action | Owner(s) | Required Signatures |
2026-05-23 23:46:11 UTC | 0x41c2504e208a3f260b2564393938b6e68f7348f5fcb8df00cde41f800f073c8a | New owner added to USDR contract | 0xc73fd562de86d7860ee636c20813bcb2cf4d550d (funded by Deployer) 0xd4b6543504df90faba649b80f8f669caffe0ad40 0xd4677b5a8b1b97ea213fdb876b0fcbab3f9f6cd1 (StablR Exploiter 3) | 1 of 3 |
2026-05-23 23:46:59 UTC | 0xd1c82d2e8f89a4973d7e51a033fd95471722893d5138cb3a75e3731695a6645c | USDR contract owner replaced: 0xd4b6543504df90faba649b80f8f669caffe0ad40 swapped out for 0xbc631daf86611f32faa63e7ec8c9c9571f2f5bb3 | 0xc73fd562de86d7860ee636c20813bcb2cf4d550d (funded by Deployer) 0xbc631daf86611f32faa63e7ec8c9c9571f2f5bb3 (attacker-controlled) 0xd4677b5a8b1b97ea213fdb876b0fcbab3f9f6cd1 (StablR Exploiter 3) | 1 of 3 |
2026-05-24 00:01:11 UTC | 0xa02e77df136fdeb2e7da4e7669ef4d6b7f1677f34c9c7b8e49d261bf4cfe2872 | USDR contract owner replaced: 0xc73fd562de86d7860ee636c20813bcb2cf4d550d swapped out for 0x482ac1a69a41e7657de6b420b7346fb09da09115 | 0x482ac1a69a41e7657de6b420b7346fb09da09115 (attacker-controlled) 0xbc631daf86611f32faa63e7ec8c9c9571f2f5bb3 (attacker-controlled) 0xd4677b5a8b1b97ea213fdb876b0fcbab3f9f6cd1 (StablR Exploiter 3) | 1 of 3 |
The evidence points clearly to a targeted attack on StablR USD’s MultiSig wallet:
1. The original owner 0xc73fd562... was either compromised or acted maliciously.
2. Using that account, the attacker in under 15 minutes replaced all owners with attacker-controlled addresses — executing three transactions in total.
3. Once in control, the address flagged by Etherscan as “StablR Exploiter 3” used the hijacked multisig to repeatedly call submitTransaction — executing mint, burn, and drain operations to continuously extract value from the contract.
4. StablR Euro was targeted in the same way; those details are not repeated here.
Attack Outcomes
Once the attackers gained control of the USDR and EURR contract admin keys, they minted large volumes of tokens and liquidated them through both centralized and decentralized exchanges, causing both stablecoins to suffer a severe depeg.
As of 16:00 CST (UTC+8) on May 24, 2026, StablR had yet to issue any public statement on the incident.
According to Bitrace’s on-chain tracking, the attacker has stolen more than 1,600 ETH to date. The funds are spread across multiple Ethereum addresses, including but not limited to—
0x09be1a36c2d7f9909eb3d6f9184c6e46a12b0aca
0xa59d6ac9cbd44952fd544ae1fd6ff7e8f226aa4e
0x3a851263c36a6427d6c7d86a564ef427b570859b
0x7ec05d1d6b0cbf4e74bd5907d01aeeb4343c6376
Key Takeaways
This was not a typical smart contract vulnerability — it was a governance failure on the part of the stablecoin issuer:
1. The multisig threshold had long been set to 1, meaning a single signature was sufficient to authorize any transaction. Any compromised owner effectively handed over total control.
2. Poor private key management led to the exposure of a critical owner key.
3. The absence of a timelock meant any owner change took effect immediately, with no delay or secondary confirmation required.
Contact us:
Website: www.bitrace.io
Email: bd@bitrace.io
Twitter: @Bitrace_team
LinkedIn:@bitrace tech
