“Single Signature” Breach: Analysis of StablR’s Compliant Stablecoin Depeg Incident and Stolen Fund Flow Tracking
- Key Insights: Stablecoin issuer StablR suffered the illegal mass minting and depegging of its compliant stablecoins EURR and USDR due to mismanaged multi-signature wallet permissions, resulting in losses exceeding $3 million. This highlights risks arising from operational governance flaws rather than code vulnerabilities.
- Key Elements:
- The attack stemmed from the multi-signature wallet requiring only one signature to initiate transactions. After controlling the owner address, the attacker added their own address to the minter set(MinterSet) and gained minting permissions.
- Through mass minting, the attacker issued a total of 8.35M USDR and 4.5M EURR, causing the stablecoin prices to depeg sharply by 20%.
- The actual loss exceeds $3 million. The illegally minted tokens were dispersed through exchanges such as ChangeNOW, Kraken, and Huobi, as well as the Tornado Cash mixer.
- The incident exposed operational security deficiencies of the issuer, including the lack of high-threshold multi-signature, timelocks, and rapid emergency response mechanisms.
- Beosin proposes mitigating such risks through a stablecoin monitoring system that continuously tracks total supply, minting activities, on-chain transactions, and price fluctuations.
Original source: Beosin
On May 24th, the stablecoin protocol StablR was attacked, causing its compliant euro stablecoin EURR and dollar stablecoin USDR to severely de-peg with a 20% drop due to illegal mass minting. The actual losses exceeded $3 million. The attack originated from a failure in multi-signature permission management, once again sounding an alarm for security governance across the entire stablecoin sector.
Attack Flow Analysis
StablR is a Malta-based stablecoin issuer. Previously, Tether announced a strategic investment in StablR and will provide stablecoin issuance and risk management tools through its Hadron tokenization platform. Currently, StablR has launched two compliant stablecoin products: EURR and USDR.
By analyzing on-chain data, we can observe:
The multi-signature wallet controlling EURR minting is: 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc
The multi-signature wallet controlling USDR minting is: 0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3
Since these multi-signature wallets only required 1 signature to initiate a transaction, the attacker, by compromising the owner address 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d, added the attacker's address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 to both multi-signature wallets:
Related transaction hashes:
(1) 0x41c2504e208a3f260b2564393938b6e68f7348f5fcb8df00cde41f800f073c8a
(2) 0x5b5825ca36f4cdad02b1c777df63115e63010de77de71dba0ac60160c18100de
From the above process, we can see that this incident was not due to a code vulnerability, but rather an operational security issue on the part of the stablecoin issuer: failure to secure the privileged address's private key, failure to use high-threshold multi-signature for high-value/high-risk operations, no time lock for large-scale minting operations, and a lack of rapid emergency response mechanisms.
After the attacker address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 obtained minting permissions, the attacker began large-scale minting and sent the minted stablecoins to multiple addresses:
According to Beosin's statistics, a total of 8.35M USDR and 4.5M EURR were minted. Related minting query link: https://etherscan.io/advanced-filter?fadd=0x0000000000000000000000000000000000000000&tadd=0x0000000000000000000000000000000000000000&tkn=0x7b43e3875440b44613dc3bc08e7763e6da63c8f8%2c0x50753cfaf86c094925bf976f218d043f8791e408&ps=50
Stolen Fund Flow Analysis
The actual losses caused by this incident exceeded $3 million. After minting, the main receiving addresses were:
1. 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1
(This address received a total of 1,000,000 EURR )
2. 0xBb64302c6F039D4aa800CAc93E6E54856958675D
(This address received a total of 4,000,535.33 EURR, 4,610,173.19 USDR; Current balance: 324,163.04 USDR, 1,204,098.63 EURR)
3. 0xeA480c23D7B29a515856AafE0dc86F7519965a04
(This address received a total of 412.67 ETH, 2,575,966.87 USDR, 650,000 EURR)
4. 0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb
(This address received a total of 235.92 ETH, 700,000 EURR, 200,000 USDR)
5. 0x41E63c5d2AE95802868D9ef3686cC974aDA96d0d
(This address received a total of 225.54 ETH, 4,000,000 USDR, 1,000,000 EURR)
6. 0x873Ef45d10b29EB251b1Eb5Fe057C325f092a80a
(This address received a total of 2,000,000 USDR; Current balance: 1,969,000 USDR)
7. 0x8c1957765721e2540c03A0D64435a469a7266c51
(This address received a total of 1,400,000 USDR, 1,400,000 EURR; Current balance: 900,000 EURR, 900,000 USDR)
8. 0x865eC0587CdF305877783C080d97DEdD4f60398f
(This address received a total of 504,000 USDR)
Through Beosin Trace analysis, a portion of the illegally minted EURR and USDR was transferred to various exchanges via fund dispersal methods, including ChangeNOW, Kraken, Huobi, WhiteBIT, and others, while a small amount of funds entered the Tornado Cash mixer.
Beosin Trace can penetrate mixers like Tornado Cash as well as flash swap exchanges like ChangeNOW and Fixedfloat, with relevant penetration results as follows:
Excluding funds transferred to centralized exchanges, the on-chain fund settlement status is as follows:
1. 0x09be1a36c2d7f9909eb3d6f9184c6e46a12b0aca
Settled Amount: 1,488.08 ETH
2. 0x464545b1f001ec64f93a31a8e678bfbd3146ef3f
Settled Amount: 510,673.98 USDR, 44,000 EURR
3. 0x9c25a3634fa04a8bac72e233c74469d5e15c5926
Settled Amount: 85.21 ETH, 15,263.22 USDT, 101,241.95 EURR
4. 0x2e74a82f6dbdfbe8fe54bd081e215c0c368c7762
Settled Amount: 8.91 ETH, 26,816.98 USDT, 250,570.03 EURR
5. 0xde7adbb368c2616df8c5c0e986933bee8f660add
Settled Amount: 13.65 ETH, 165,162.05 USDT, 38,696.42 USDR, 258,117.67 EURR
6. 0x0bc0b7b24876ac10397646ea0194735ccc271edd
Settled Amount: 100 ETH
7. 0xb8d90cffe9fdb398afec7046490d1efdb28a6386
Settled Amount: 100,000 USDR
8. 0x7ec05d1d6b0cbf4e74bd5907d01aeeb4343c6376
Settled Amount: 15 ETH
The overall fund flow is shown in the following diagram:
Stolen fund flow analysis diagram by Beosin Trace
This security incident demonstrates that code audits cannot resolve operational/governance deficiencies. Stablecoin issuers and regulators should consider proactively monitoring the circulation and operational status of stablecoins in secondary markets based on risk. Addressing this industry pain point, Beosin has launched a stablecoin monitoring system (Stablecoin Monitoring) covering the entire stablecoin lifecycle. This system supports continuous monitoring of key operational indicators, including total issuance volume, minting and burning activities, holder address distribution, and on-chain transaction flows:
In the circulation phase, Stablecoin Monitoring integrates price fluctuation and peg status analysis to promptly detect de-peg risks caused by market manipulation or liquidity crises, addressing attack scenarios like the mass malicious minting following the private key leak in the StablR incident. It also possesses cross-chain activity tracking capabilities, enabling it to trace fund flows across different blockchains. For counterfeit stablecoins issued on-chain, the system provides real-time monitoring and alerts, facilitating user identification of related fraud risks.
