BlackHartBlackHart
Hacks Feed/StablR

StablR

May 23, 2026·Ethereum·Key Compromise
$11.0M
total loss
StatusConfirmed

An attacker minted approximately $11M of unauthorized stablecoins after compromising a single operations key that controlled the mint authority on both EURR and USDR. The mint-authority contracts are the original ConsenSys MultiSigWallet (not Gnosis Safe), and both were configured with required=1, meaning one signer could submit and execute any transaction immediately. The attacker then added three decoy owners and removed both legitimate owners during the attack, making the public picture look like a multi-party compromise when it was a single key. About 7,010,000 EURR and 3,310,000 USDR were minted to nine attacker-controlled wallets over three hours. Both stablecoins depegged; USDR to about $0.78 and EURR to about $0.88.

On-chain customer balances of EURR and USDR before May 23safe
HadronToken implementation contract bytecodesafe
Proxy admin multisigs (not used in attack)safe
StablR reserve assets (off-chain)unknown(Off-chain reserves were not exposed by this attack, but the attacker minted unbacked tokens against them, creating a reserve shortfall.)
EURR pegdrained(Depegged from about $1.10 to $0.88)
USDR pegdrained(Depegged from $1.00 to about $0.78)
Mint authority on both stablecoinsdrained(Approximately $11M minted unauthorized; both multisigs now solely under attacker control)
What the score saw

StablR has not been scored by our risk model. The relevant control surface for this attack is custody architecture, specifically the threshold on the mint-authority multisig, the separation of duties between EURR and USDR signer sets, and whether signer keys live in HSM, MPC, or raw EOA wallets. A configuration like required=1 is not visible from contract bytecode and would not be caught by a code audit, so a contract-only audit could not have flagged this failure mode.

Exploit anatomy

An attacker compromised the operations key for the true legitimate signer that controlled both StablR multisigs. Both multisigs are the old ConsenSys MultiSigWallet (not Gnosis Safe) and both had required=1, so a single key was sufficient. The attacker added three decoy owners on the EURR multisig and the USDR multisig, removed both legitimate owners, and minted 7M EURR and 3.3M USDR into nine attacker wallets. Proceeds are being dumped via DEX swaps and consolidated into an ETH aggregation wallet holding about 1,173 ETH.

Fund flow
Source
Compromised operations signer
real key, used Dec 2025 to May 19 2026
0xc73fd562...4d550d
Takeover
EURR multisig (required=1)
3 attacker owners added, 2 legit removed
0x8278d288...ade5bc
USDR multisig (required=1)
3 attacker owners added, 2 legit removed
0xf45392bd...9b82f3
Mint recipients
Primary consolidation
4M EURR + 1M USDR across 5 mints
0xbb64302c...58675d
Attacker primary EOA
added as multisig owner, got 1M EURR direct
0xd4677b5a...9f6cd1
Dual-token wallet
500K EURR + 500K USDR
0x8c195776...266c51
ZachXBT-tagged attacker
400K EURR + 400K USDR
0xea480c23...965a04
6 additional wallets
smaller mint amounts
DEX dumps
MetaMask Swap Router micro-swaps
~50 swaps at ~900 EURR each, slippage management
Aggregation
ETH consolidation wallet
1,173 ETH (~$2.49M), still growing
0x09BE1A36...2B0ACA
Full forensic detail

Step-by-step reconstruction, root cause, counterfactuals, remediation, and disclosure timeline.

Exploit anatomy

1.
Attacker obtains the private key for the legitimate operations signer 0xc73fd562de86d7860ee636c20813bcb2cf4d550d, which had been used for weekly mints on EURR and USDR since December 2025. Exfiltration vector not publicly confirmed; the compromised wallet had collected airdrops from multiple low-quality tokens in the months prior, consistent with phishing exposure via airdrop-claim sites.
2.
Starting at 23:33 UTC on 2026-05-23, attacker uses the compromised operations key to add three attacker-controlled addresses as owners on the USDR mint-authority multisig (0xf45392bd2...): 0xd4677b5a (primary), 0xbc631daf (decoy), 0x482ac1a6 (decoy). With required=1, each addOwner call submits and auto-executes immediately.
0xf45392bd...9b82f3submitTransaction(address,uint256,bytes) -> addOwner
3.
Between 23:46 UTC and 00:01 UTC, attacker repeats the same owner-addition sequence on the EURR mint-authority multisig (0x8278d2881...). At some point during the attack window, the attacker also uses the compromised key to remove both legitimate operations signers (0xc73fd562, 0xd4b65435) from both multisigs, completing full ownership takeover.
0x8278d288...ade5bcsubmitTransaction(address,uint256,bytes) -> addOwner / removeOwner
4.
At 23:47:35 UTC May 23 (block 25,161,357), 84 seconds after the first EURR attacker-owner was added, the attacker submits the first successful unauthorized mint: 1,000,000 EURR to 0xd4677b5a (the attacker primary EOA itself).
0x8278d288...ade5bcsubmitTransaction wrapping HadronToken.mint(address,uint256)tx:0x775d63fb...a1caa9
5.
Over the next 3 hours (block 25,161,357 to 25,162,256), the attacker submits 11 more EURR mint transactions and 6 USDR mint transactions, totaling 7,010,000 EURR and 3,310,000 USDR distributed across 9 attacker-controlled EOAs. Largest single recipient is 0xbb64302c... (4M EURR + 1M USDR across 5 mints).
0x50753cfa...91e408mint(address,uint256)tx:0xffe07ece...932121
6.
Both stablecoins depeg immediately. USDR falls from $1.00 to approximately $0.78 (-22%). EURR falls from approximately $1.10 to $0.88 (-19% relative to USD).
7.
Attacker begins dumping minted tokens via MetaMask Swap Router, executing approximately 50 micro-swaps from consolidation wallet 0xbb64302c at ~900 EURR per swap to manage price impact. Proceeds aggregate into ETH wallet 0x09BE1A36c2d7f9909eb3D6F9184c6e46A12B0ACA, which holds 1,173.84 ETH (~$2.49M) at report cutoff.
0xbb64302c...58675dtransfer / DEX swap
8.
ZachXBT publicly flags the exploit via investigations Telegram channel, identifying 8 attacker-linked addresses. CryptoBriefing publishes the first major news article at approximately 02:12 UTC on 2026-05-24, framing the attack as a multi-signer Safe compromise. That framing is incorrect; the actual mechanism is a single-key compromise on a required=1 MultiSigWallet, with the additional attacker-controlled owners added during the attack as decoys.

Root cause

The mint authority on both EURR and USDR was vested in ConsenSys MultiSigWallet contracts (Stefan George, Solidity 0.4.16, not Gnosis Safe) configured with required=1. This is single-signer authority in multisig clothing: any owner could submit any transaction and have it auto-execute on the same call. The attacker compromised one operations signer (0xc73fd562...), then used that key to (1) add three attacker-controlled addresses as new owners on both multisigs, (2) remove both legitimate owners, and (3) mint 7.01M EURR and 3.31M USDR through the newly-controlled mint authority. The compromise vector for the original key is undetermined, but the compromised wallet had collected airdrops from multiple low-quality tokens (Claude, QAI, AIG, OpenClaw, FEAST, BlackGold, WAR) in the months before the attack, an operational anti-pattern that turns a mint-authority key into a phishing target. The HadronToken implementation itself (Tether Hadron Limited) is a standard upgradeable ERC20 with onlyOwner mint(); the exploit was access-control bypass via key compromise plus owner-set manipulation, not a smart contract bug. The attacker also added three decoy 'co-signers' to make the attack look multi-party, a novel obfuscation pattern that misled major news outlets into the wrong framing. The compounding factors: shared owner sets across both stablecoins (one key compromise drained both), no realtime Mint() event monitoring (3-hour drain went unhalted), and a marketing claim of 'MPC and Multisig technology' inconsistent with the deployed required=1 single-sig configuration.

Prevention analysis

Threshold-of-2 minimum on both mint-authority Safes.

If the Safe required at least 2 of 3 signatures, a single signer compromise would be insufficient. The attacker would need at least one additional key to execute. This is a one-call configuration change on the Safe contract (changeThreshold).

Separated signer sets per token (EURR Safe and USDR Safe with no overlapping signers).

A single signer compromise should drain at most one stablecoin, not both. The 2-for-1 outcome here resulted from operational convenience (one signer set for both Safes) creating a single point of failure across the entire StablR product line.

Hardware-wallet or HSM-backed signers (rather than EOAs with exportable keys).

Eliminates the most likely exfiltration vectors (CI/CD secret leak, laptop key extraction). Industry-standard for regulated EMI issuers handling mint authority on production stablecoins.

Realtime alerting on Mint() events with auto-pause via a separate pauser Safe.

The HadronToken contract emits a Mint event on every privileged mint. Realtime monitoring (Forta, Tenderly, Hypernative) on unauthorized Mint events would have triggered within seconds of the first mint, allowing a separate pauser Safe (different signer set) to pause the token. Would have cut the 3-hour drain to under 10 minutes.

Similar incidents

Resolv USR

AWS KMS minter key compromise (March 2026). $80M unauthorized USR minted, $25M extracted, immediate depeg. Identical mechanism: privileged mint, no realtime monitoring, no out-of-band signing approval.

Drift Protocol

Multisig signer compromised via blind-signing social engineering on a 2/5 Safe (April 2026, $285M). Same root cause: weak operational security on privileged authority.

Polymarket

Operational hot-wallet private-key compromise on Polygon (May 2026, $700K). Smaller scope (no mint authority) but identical anti-pattern of single-key custody for protocol-adjacent value.

Remediation

1.Treat any operations key generated, stored, or used through the same workflow as the compromised 0xc73fd562 as suspect. Audit infrastructure with access: signer laptops, hot-wallet workstations, browser extensions, airdrop-claim dApp interactions.
2.Coordinate with major exchanges (Binance, Coinbase, Kraken, OKX, Bybit, KuCoin) and analytics providers (TRM, Chainalysis, Elliptic) to flag the consolidation wallets, with priority on 0xbb64302c, 0x8c195776, 0xea480c23, 0xd4677b5a, and 0x09BE1A36. Attacker is still moving funds.
3.Pause any on-chain integrations that rely on EURR/USDR price stability: lending market exposures, AMM pool positions, structured products.
4.Use the proxy-admin multisigs (0xa0609c... and 0xbfff92...) to upgrade the HadronToken implementation to a paused / no-op version, halting transfers and mints until custody is rebuilt. Audit the proxy-admin multisigs first to confirm they are not compromised.
5.Rebuild the mint-authority multisigs with required>=2 and HSM-backed or MPC-custodied signer keys. Migrate off the old ConsenSys MultiSigWallet contract; the Stefan George contract is unmaintained and lacks pause, role separation, and modern event hygiene.
6.Add an on-chain timelock (24-72h delay) on any mint or redeem execution.
7.Implement realtime alerting on Mint() and Redeem() events with auto-pause via a separate pauser multisig whose signer set does not overlap with the owner multisig.
8.Add an issuance velocity circuit breaker in the HadronToken implementation: max-mint-per-day, max-mint-per-tx, enforced by a separate non-upgradeable check.
9.Separate the EURR and USDR multisigs so they do not share owners. A single key compromise should not affect both products.
10.Publish full post-mortem within 30 days covering: the exact key exfiltration vector, the timeline of compromise, the rotation procedure underway, and what user-facing systems were verified untouched.
11.Engage the MFSA proactively. StablR holds a MiCAR-compliant EMI license; a multi-million-euro unauthorized mint is a material event that triggers regulatory reporting obligations under MiCAR.
12.Correct public marketing claims about 'MPC and Multisig technology.' A required=1 MultiSigWallet is not multisig in any meaningful security sense.

Timeline

2025-12-09Operations signer 0xc73fd562 added as owner of EURR mint-authority multisig (deployed five days earlier).
2025-12-31Second operations signer 0xd4b65435 added as backup owner.
2026-05-22Attacker EOA 0xd4677b5a becomes active on-chain for the first time. No prior history. Funded with 0.149 ETH from 0x370a7e2d.
2026-05-23Attacker uses the compromised 0xc73fd562 key to submit the first owner-addition transaction on the USDR multisig. Auto-executes because required=1. 0xd4677b5a becomes USDR owner.
2026-05-23Attacker adds 0xd4677b5a as owner of the EURR multisig. Same auto-execute behavior.
2026-05-23Block 25,161,357: first successful unauthorized mint. 1,000,000 EURR to attacker primary EOA. Tx 0x775d63fba6a1caa9...
2026-05-24Third attacker-controlled owner (0x482ac1a6) added to EURR multisig. Sometime during this window, the attacker also removed both legitimate owners (0xc73fd562 and 0xd4b65435) from both multisigs, completing ownership takeover.
2026-05-24Block 25,162,256: final mint of the attack. 10,000 EURR to 0x1be64f33. Totals: 7.01M EURR + 3.31M USDR across 18 transactions.
2026-05-24CryptoBriefing publishes the first major news article. The framing (multi-signer Safe compromise) is wrong on framework and threshold; the actual mechanism is single-key compromise on a required=1 MultiSigWallet with attacker-added decoy owners.
2026-05-24BlackHart publishes corrected forensic analysis after on-chain verification of the multisig framework (MultiSigWallet, not Safe), threshold (required=1), and owner-addition / removal sequence.
Sources
CryptoBriefing: Stablecoin issuer StablR potentially exploited for over $10MZachXBT investigations TelegramEtherscan: EURR tokenEtherscan: USDR tokenEtherscan: HadronToken implementationEtherscan: EURR mint-authority multisigEtherscan: USDR mint-authority multisigEtherscan: Compromised operations signer (0xc73fd562)Etherscan: Attacker primary EOA (0xd4677b5a)Etherscan: ETH aggregation walletChainalysis: Lessons from the Resolv hack (comparable mechanism)
ZachXBT (initial detection, attacker address graph), CryptoBriefing (first published news article), Etherscan (contract and event metadata), BlackHart (forensic reconstruction, on-chain framework verification, decoy-signer pattern identification, supply-chain hypothesis falsification)
Continuous adversarial monitoring

Get your protocol scored across 12 dimensions, or request ongoing coverage.

Request ScoringView Plans