StablR is a Malta-based stablecoin issuer with an Electronic Money Institution license, MiCA compliance, and a strategic investment from Tether. On Sunday morning, someone stole one private key and used it to mint $13.5 million worth of tokens that did not exist minutes earlier.
EURR, the euro-pegged token, dropped to $0.85. USDR, the dollar peg, fell to $0.40 at its worst. Blockaid flagged the exploit first. ZachXBT estimated total impact near $10 million.
One Key Was Enough
StablRโs minting contract used a multisig wallet with a 1-of-3 threshold. That means any single key holder could authorize transactions without the other two. The attacker compromised one key, added their own wallet as a new owner, removed the two legitimate signers, and locked the original team out entirely.
With sole control, the attacker minted 8.35 million USDR and 4.5 million EURR. Combined face value: roughly $13.5 million. They swapped the freshly minted tokens on DEXs with thin liquidity, extracting approximately 1,115 ETH worth $2.8 million. The rest evaporated into slippage. Thin pools could not absorb $13 million in sell pressure.
MiCA Did Not Prevent This
StablR was one of the first stablecoin issuers to secure MiCA compliance. It held segregated reserves at regulated financial institutions. It had proof-of-reserve attestations. It ticked every regulatory box that the EU framework requires. None of that mattered when the governance layer protecting the minting function used a 1-of-3 threshold.
MiCA regulates reserves, disclosures, and consumer protections. It does not, and realistically cannot, micromanage every multisig threshold or key storage practice. That gap is not a flaw in the regulation. It is a reminder that compliance and security are two different things. The stablecoin market crossed $321 billion this year with dozens of new issuers competing for share. StablRโs exploit shows that the weakest link in that stack is still human.
The Resolv Playbook, Again
This is nearly identical to the Resolv crisis earlier this year, where $80 million was exploited through the same mechanics: a single insufficiently protected key enabled minting at scale. Different project, different chain, same vulnerability. The DeFi industry knows exactly what a 1-of-3 multisig risks. Projects keep using them anyway because higher thresholds create operational friction.
Blockaid classified this as a governance and key management failure, not a code bug. That distinction keeps coming up. The smart contracts did exactly what they were told to do. The problem was who was doing the telling.
What Happens to $13.5 Million in Unbacked Tokens
The minted tokens are still circulating. StablR has not confirmed whether it can burn them, claw them back, or blacklist the addresses holding them. The teamโs first public statement said they are โactively working to contain it and minimize impact.โ That was hours after the drain started.
Until the unbacked supply is removed, both EURR and USDR will trade below their pegs. Buyers will not trust a 1:1 backing claim when $13.5 million in phantom tokens are floating in DEX pools. The pattern is now unmistakable: cryptoโs biggest security failures are not code failures. They are access failures. Keys, not contracts, are the attack surface that keeps getting exploited.
StablR built a solid reputation over the past year as a compliant bridge between traditional finance and on-chain liquidity. Todayโs exploit tests whether that reputation can survive a real-world stress event. The next 48 hours are critical: how much excess supply exists, how it gets burned, and what upgraded custody measures replace the 1-of-3 threshold. The answers will determine whether StablR recovers or joins the growing list of stablecoins that could not survive their own governance.
