“Single-Signature” Breach: Analysis of the StablR Compliant Stablecoin Depeg Incident and Tracking of Stolen Funds Flow
- Core Viewpoint: Stablecoin issuer StablR, due to mismanagement of multi-signature wallet permissions, saw its compliant stablecoins EURR and USDR illegally minted in large quantities and depegged, resulting in losses exceeding $3 million. This highlights risks stemming from operational governance flaws rather than code vulnerabilities.
- Key Elements:
- The attack stemmed from the multi-signature wallet requiring only one signature, the attacker controlled the owner address, and after adding their address to the multi-signature minter list, they obtained the minting permission.
- Through massive minting, the attacker issued a total of 8.35M USDR and 4.5M EURR, causing the stablecoin prices to depeg severely by 20%.
- Actual losses exceeded $3 million, with the illegally minted coins dispersed and transferred through platforms such as ChangeNOW, Kraken, Huobi, and the Tornado Cash mixer.
- The incident exposed operational security deficiencies in the issuer's lack of high-threshold multi-signature, timelocks, and rapid emergency response mechanisms.
- Beosin proposes to address this type of risk through a stablecoin monitoring system for continuous surveillance of total supply, minting behavior, on-chain transactions, and price fluctuations.
Original Source: Beosin
On May 24, the Stablecoin protocol StablR was attacked, causing its compliant euro stablecoin EURR and dollar stablecoin USDR to depeg sharply by up to 20% due to massive unauthorized minting. The actual financial loss exceeded $3 million. This attack stemmed from a loss of control over multi-signature permissions, once again sounding an alarm for security governance across the entire stablecoin sector.
Attack Flow Analysis
StablR is a stablecoin issuer based in Malta. Previously, Tether announced a strategic investment in StablR, providing stablecoin issuance and risk management tools through its Hadron tokenization platform. Currently, StablR has launched two compliant stablecoin products: EURR and USDR.
Analyzing on-chain data reveals the following:
The multi-sig wallet controlling EURR minting is: 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc
The multi-sig wallet controlling USDR minting is:
0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3
Since these multi-sig wallets required only 1 signature to execute a transaction, the attacker, by compromising the owner address (0xC73fD562de86d7860EE636C20813Bcb2cF4D550d), added the attacker's address (0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1) to both multi-sig wallets:
Related transaction hashes:
(1) 0x41c2504e208a3f260b2564393938b6e68f7348f5fcb8df00cde41f800f073c8a
(2) 0x5b5825ca36f4cdad02b1c777df63115e63010de77de71dba0ac60160c18100de
From the above process, we can see that this incident was not due to a code vulnerability, but an operational security issue on the part of the stablecoin issuer: failing to securely store the private key of privileged addresses, not using high-threshold multi-sig for high-value/high-risk operations, lacking a timelock for large minting transactions, and lacking a rapid emergency response mechanism.
After the attacker's address (0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1) obtained minting privileges, the attacker began large-scale minting and sent the minted stablecoins to multiple addresses:
According to Beosin statistics, a total of 8.35M USDR and 4.5M EURR were minted. Related minting query link: https://etherscan.io/advanced-filter?fadd=0x0000000000000000000000000000000000000000&tadd=0x0000000000000000000000000000000000000000&tkn=0x7b43e3875440b44613dc3bc08e7763e6da63c8f8%2c0x50753cfaf86c094925bf976f218d043f8791e408&ps=50
Stolen Fund Flow Analysis
The actual financial loss from this incident exceeded $3 million. After the minting, the main receiving addresses were:
1. 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1
(Received a total of 1,000,000 EURR)
2. 0xBb64302c6F039D4aa800CAc93E6E54856958675D
(Received a total of 4,000,535.33 EURR, 4,610,173.19 USDR; Current balance: 324,163.04 USDR, 1,204,098.63 EURR)
3. 0xeA480c23D7B29a515856AafE0dc86F7519965a04
(Received a total of 412.67 ETH, 2,575,966.87 USDR, 650,000 EURR)
4. 0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb
(Received a total of 235.92 ETH, 700,000 EURR, 200,000 USDR)
5. 0x41E63c5d2AE95802868D9ef3686cC974aDA96d0d
(Received a total of 225.54 ETH, 4,000,000 USDR, 1,000,000 EURR)
6. 0x873Ef45d10b29EB251b1Eb5Fe057C325f092a80a
(Received a total of 2,000,000 USDR; Current balance: 1,969,000 USDR)
7. 0x8c1957765721e2540c03A0D64435a469a7266c51
(Received a total of 1,400,000 USDR, 1,400,000 EURR; Current balance: 900,000 EURR, 900,000 USDR)
8. 0x865eC0587CdF305877783C080d97DEdD4f60398f
(Received a total of 504,000 USDR)
Through Beosin Trace analysis, a portion of the illegally minted EURR and USDR was transferred to various exchanges via fund dispersal methods, such as ChangeNOW, Kraken, Huobi, WhiteBIT, and others. A small amount of funds was sent to the Tornado Cash mixer.
Beosin Trace can penetrate mixers like Tornado Cash and instant exchange platforms like ChangeNOW and FixedFloat. Related penetration results are as follows:
Besides funds transferred to centralized exchanges, the on-chain fund沉淀 (remaining balance) is as follows:
1. 0x09be1a36c2d7f9909eb3d6f9184c6e46a12b0aca
Remaining Balance: 1,488.08 ETH
2. 0x464545b1f001ec64f93a31a8e678bfbd3146ef3f
Remaining Balance: 510,673.98 USDR, 44,000 EURR
3. 0x9c25a3634fa04a8bac72e233c74469d5e15c5926
Remaining Balance: 85.21 ETH, 15,263.22 USDT, 101,241.95 EURR
4. 0x2e74a82f6dbdfbe8fe54bd081e215c0c368c7762
Remaining Balance: 8.91 ETH, 26,816.98 USDT, 250,570.03 EURR
5. 0xde7adbb368c2616df8c5c0e986933bee8f660add
Remaining Balance: 13.65 ETH, 165,162.05 USDT, 38,696.42 USDR, 258,117.67 EURR
6. 0x0bc0b7b24876ac97610346ea0194735ccc271edd
Remaining Balance: 100 ETH
7. 0xb8d90cffe9fdb398afec7046490d1efdb28a6386
Remaining Balance: 100,000 USDR
8. 0x7ec05d1d6b0cbf4e74bd5907d01aeeb4343c6376
Remaining Balance: 15 ETH
The overall fund flow is illustrated in the diagram below:
Stolen Fund Flow Analysis Chart by Beosin Trace
This security incident demonstrates that code audits cannot resolve operational/governance deficiencies. Stablecoin issuers and regulators should consider proactively monitoring the circulation and operation of stablecoins in the secondary market based on risk. Addressing this industry pain point, Beosin has launched a Stablecoin Monitoring system covering the entire stablecoin lifecycle. This system supports continuous monitoring of key operational indicators such as total issuance, minting and burning activities, holder address distribution, and on-chain transaction flows:
In the circulation phase, Stablecoin Monitoring combines price fluctuation and peg stability analysis to promptly detect depeg risks caused by market manipulation or liquidity crises, effectively addressing attack scenarios like the bulk malicious minting following private key compromise seen in the StablR incident. It also features cross-chain activity tracking capabilities, enabling fund flow tracing across different blockchains. For counterfeit stablecoins issued on-chain, the system provides real-time monitoring and alerts, helping users identify related fraud risks.
