European stablecoin issuer StablR faced a security incident over the weekend that led to the creation of $13.5 million in unbacked stablecoins, though the attackers were only able to get away with around $2.8 million in net proceeds from the hack.
The breach took place on the Ethereum network through StablR’s minting multisignature wallet. That wallet used a 1-of-3 threshold, meaning a single authorized signer could approve transactions. The attacker compromised one private key, added themselves as an administrator, and removed the legitimate operators before going on to mint roughly 8.35 million USDR (StableR’s dollar-pegged stablecoin) and 4.5 million EURR (the company’s euro-backed stablecoin).
Blockchain security firms Blockaid and GoPlus Security both described the root cause as a security setup and key-management failure rather than any flaw in the smart contract code itself.
After creating the new tokens, the attacker swapped them on decentralized exchanges (DEXs), and while thin liquidity limited the proceeds they were able to extract, the attacker ultimately walked away with roughly 1,115 ether (the native cryptocurrency of crypto network Ethereum), valued at around $2.8 million at the time. Ether lacks the backdoor intervention tools that many stablecoins with centralized issuers carry, making it much more difficult for the funds to be seized or the transactions reversed.
Worst of both financial worlds
Although stablecoins are oftentimes seen as safer and stabler alternatives to native crypto assets, this appears to be a situation where users got the worst of both the traditional and crypto financial worlds.
Due to the hack, the dollar- and euro-pegged stablecoins issued by StablR are no longer tracking the currencies they are intended to track as well as they were before the attack. While the dollar-pegged token USDR has recovered its value, EURR is still trading at roughly 17% less than its intended euro peg’s value at the time of this writing, according to data from CoinMarketCap.
Currently, it’s unclear if or how affected users will be made whole, but the official X accounts related to these stablecoins have stated, “We’ll share verified details and next steps as soon as possible.”
Containing the fallout on yet another stablecoin breach
For now, StablR responded to the attack by freezing both tokens, suspending minting and redemptions, and asking exchanges to stop trading, deposits, and withdrawals, according to CoinDesk.
While this is not the first security incident, depegging event, or hack of a stablecoin system, most other incidents have involved algorithmic or more decentralized crypto-native systems that had less connectivity with the real world via actual currency backing held in bank accounts.
Drift Protocol on Solana, for example, lost about $285 million in April when attackers with alleged ties to North Korea used social engineering to trick multisig signers into approving transactions that let them introduce a fake collateral asset and drain real liquidity including USDC, SOL, and other tokens.
The Terra Luna fiasco in 2022 is another prime example where the algorithmic stablecoin UST broke its dollar peg, setting off a death spiral in LUNA that increased its supply from roughly 1 billion to nearly 6 trillion tokens while its price collapsed from around $80 to near zero and wiped out nearly $45 billion in market value in days.
Stablecoins tend to be much more controlled than native cryptocurrencies due to the existence of backdoors and other mechanisms for reversing transactions and even seizing assets, but that did not turn out to be helpful here, as the attacker was quickly able to convert funds to an uncontrolled, crypto-native asset.
The return of trusted third-parties?
Recently, Circle received backlash from a large segment of crypto users for not being more helpful and using their backdoored privilege to the USDC stablecoin to assist in more hacks and security incidents, with the Drift case being cited as a clear example where more assistance could have been provided.
While these backdoors found in stablecoins can be extremely helpful in some circumstances, they also disrupt the key innovation of Bitcoin’s blockchain technology in that they reintroduce the sort of trusted third parties that the technology was originally intended to avoid. Iran recently found this out the hard way when the U.S. government froze $344 million of Tether’s USDT stablecoin, which may have caused the regime to double down on bitcoin and move away from dollar-denominated stablecoins.
Stablecoins are an increasingly contentious topic in crypto more generally. These dollar-pegged tokens are one of the clearest examples of the large amount of centralization that has crept into the space over the years, as entrepreneurs seek mainstream adoption of this technology with stablecoin issuers like Stripe and Circle building out their own blockchain infrastructure.
Circle, in particular, recently raised $222 million from Wall Street and Silicon Valley in a presale for its ARC token to fund their own blockchain, reducing its reliance on crypto networks like Ethereum and Solana, which potentially eat into the stablecoin issuer’s profits and weaken their overall control over the stablecoin tech stack.
