“Single-Signature” Breach: Analysis of StablR Compliance Stablecoin Depeg Incident and Stolen Fund Flow Tracking
- Core Insight: Stablecoin issuer StablR lost control of its multi-signature wallet permissions, leading to the illegal mass minting and depegging of its compliance stablecoins EURR and USDR, resulting in over $3 million in losses. This highlights risks stemming from operational governance flaws rather than code vulnerabilities.
- Key Elements:
- The attack stemmed from the multi-signature wallet requiring only 1 signature to initiate a transaction. After the attacker controlled the owner address, they added their address to the minting multi-sig, obtaining minting permissions.
- Through large-scale minting, the attacker issued a total of 8.35M USDR and 4.5M EURR, causing the stablecoin price to depeg sharply by 20%.
- Actual losses exceeded $3 million. The illegally minted tokens were dispersed and transferred through exchanges such as ChangeNOW, Kraken, and Huobi, as well as the Tornado Cash mixer.
- The incident exposed operational security deficiencies of the issuer, including the lack of high-threshold multi-signature, time locks, and rapid emergency response mechanisms.
- Beosin proposes utilizing a stablecoin monitoring system for continuous surveillance of total supply, minting behavior, on-chain transactions, and price fluctuations to mitigate such risks.
Original source: Beosin
On May 24, the stablecoin protocol StablR was attacked. Its compliant Euro stablecoin, EURR, and USD stablecoin, USDR, experienced a sharp depeg with a 20% decline due to illegal large-scale minting. The actual loss exceeded $3 million. This attack stemmed from a failure in multi-signature permission management, once again sounding an alarm for security governance across the entire stablecoin sector.
Attack Flow Analysis
StablR is a Malta-based stablecoin issuer. Previously, Tether announced a strategic investment in StablR and provides stablecoin issuance and risk management tools through its Hadron tokenization platform. Currently, StablR has launched two compliant stablecoin products: EURR and USDR.
By analyzing on-chain data, we can observe:
The multi-signature wallet controlling EURR minting is 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc
The multi-signature wallet controlling USDR minting is
0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3
Since these multi-signature wallets require only one signature to initiate a transaction, the attacker, by controlling the owner address 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d, added the attacker's address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 to the two aforementioned multi-signature wallets:
Related transaction hashes:
(1) 0x41c2504e208a3f260b2564393938b6e68f7348f5fcb8df00cde41f800f073c8a
(2) 0x5b5825ca36f4cdad02b1c777df63115e63010de77de71dba0ac60160c18100de
From the above process, we can see that this incident was not due to a code vulnerability, but an operational security issue with the stablecoin issuer: failure to properly secure the private keys of privileged addresses, lack of high-threshold multi-signature for high-value/high-risk operations, absence of timelocks for large-scale minting, and a lack of rapid emergency response mechanisms.
After the attacker address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 obtained the minting permission, the attacker began minting on a large scale and sending the minted stablecoins to multiple addresses:
According to Beosin's statistics, a total of 8.35M USDR and 4.5M EURR were minted. Link to view minting transactions: https://etherscan.io/advanced-filter?fadd=0x0000000000000000000000000000000000000000&tadd=0x0000000000000000000000000000000000000000&tkn=0x7b43e3875440b44613dc3bc08e7763e6da63c8f8%2c0x50753cfaf86c094925bf976f218d043f8791e408&ps=50
Analysis of Stolen Fund Flow
The actual loss from this incident exceeded $3 million. After minting, the main receiving addresses were:
1. 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1
(This address received a total of 1,000,000 EURR )
2. 0xBb64302c6F039D4aa800CAc93E6E54856958675D
(This address received a total of 4,000,535.33 EURR, 4,610,173.19 USDR; Current balance: 324,163.04 USDR, 1,204,098.63 EURR)
3. 0xeA480c23D7B29a515856AafE0dc86F7519965a04
(This address received a total of 412.67 ETH, 2,575,966.87 USDR, 650,000 EURR)
4. 0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb
(This address received a total of 235.92 ETH, 700,000 EURR, 200,000 USDR)
5. 0x41E63c5d2AE95802868D9ef3686cC974aDA96d0d
(This address received a total of 225.54 ETH, 4,000,000 USDR, 1,000,000 EURR)
6. 0x873Ef45d10b29EB251b1Eb5Fe057C325f092a80a
(This address received a total of 2,000,000 USDR; Current balance: 1,969,000 USDR)
7. 0x8c1957765721e2540c03A0D64435a469a7266c51
(This address received a total of 1,400,000 USDR, 1,400,000 EURR; Current balance: 900,000 EURR, 900,000 USDR)
8. 0x865eC0587CdF305877783C080d97DEdD4f60398f
(This address received a total of 504,000 USDR)
Through Beosin Trace analysis, the illegally minted EURR and USDR were partially transferred to different exchanges via fund dispersion techniques, including ChangeNOW, Kraken, Huobi, WhiteBIT, and others, with a small amount entering the Tornado Cash mixer.
Beosin Trace can penetrate mixers like Tornado Cash as well as instant swap exchanges like ChangeNOW and Fixedflow. The relevant penetration results are as follows:
Apart from the funds transferred to centralized exchanges, the on-chain fund settlements are as follows:
1. 0x09be1a36c2d7f9909eb3d6f9184c6e46a12b0aca
Settlement Amount: 1,488.08 ETH
2. 0x464545b1f001ec64f93a31a8e678bfbd3146ef3f
Settlement Amount: 510,673.98 USDR, 44,000 EURR
3. 0x9c25a3634fa04a8bac72e233c74469d5e15c5926
Settlement Amount: 85.21 ETH, 15,263.22 USDT, 101,241.95 EURR
4. 0x2e74a82f6dbdfbe8fe54bd081e215c0c368c7762
Settlement Amount: 8.91 ETH, 26,816.98 USDT, 250,570.03 EURR
5. 0xde7adbb368c2616df8c5c0e986933bee8f660add
Settlement Amount: 13.65 ETH, 165,162.05 USDT, 38,696.42 USDR, 258,117.67 EURR
6. 0x0bc0b7b24876ac97610346ea0194735ccc271edd
Settlement Amount: 100 ETH
7. 0xb8d90cffe9fdb398afec7046490d1efdb28a6386
Settlement Amount: 100,000 USDR
8. 0x7ec05d1d6b0cbf4e74bd5907d01aeeb4343c6376
Settlement Amount: 15 ETH
The overall fund flow is illustrated in the chart below:
Stolen Fund Flow Analysis Diagram by Beosin Trace
This security incident proves that code audits cannot resolve operational/governance deficiencies. Stablecoin issuers and regulators should consider actively monitoring the circulation and operational status of stablecoins in secondary markets on a risk-based basis. Addressing this industry pain point, Beosin has launched the Stablecoin Monitoring system, which covers the entire lifecycle of stablecoins. This system supports continuous monitoring of key operational indicators such as total stablecoin supply, minting and burning activities, distribution of holding addresses, and on-chain transaction flows:
During the circulation phase, the Stablecoin Monitoring system integrates price volatility and peg analysis to promptly detect depeg risks caused by market manipulation or liquidity crises, addressing attack scenarios like the batch of malicious minting after private key leaks in the StablR incident. It also possesses cross-chain activity tracking capabilities, enabling fund flow tracing across different blockchains. For counterfeit stablecoins issued on-chain, the system provides real-time monitoring and alerts, allowing users to identify related fraud risks.
