“单签”失守：StablR合规稳定币脱锚事件分析及被盗资金流向追踪

Original Source: Beosin

On May 24, the stablecoin protocol StablR was attacked, causing its compliant euro stablecoin EURR and dollar stablecoin USDR to severely de-peg due to illegal mass minting, plummeting by 20%, with actual losses exceeding $3 million. The attack stemmed from uncontrolled multi-signature permission management, once again sounding an alarm for security governance across the entire stablecoin sector.

Attack Flow Analysis

StablR is a Malta-based stablecoin issuer. Tether had previously announced a strategic investment in StablR, providing it with stablecoin issuance and risk management tools through its Hadron tokenization platform. Currently, StablR has launched two compliant stablecoin products: EURR and USDR.

By analyzing on-chain data, we can observe:

The multi-signature wallet controlling EURR minting is 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc

The multi-signature wallet controlling USDR minting is 0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3

Since these multi-signature wallets only required 1 signature to initiate a transaction, the attacker, by controlling the owner address 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d, added the attacker's address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 to the aforementioned multi-signature wallets:

Relevant Transaction Hashes:

(1) 0x41c2504e208a3f260b2564393938b6e68f7348f5fcb8df00cde41f800f073c8a

(2) 0x5b5825ca36f4cdad02b1c777df63115e63010de77de71dba0ac60160c18100de

From the above process, we can see that this incident was not due to a code vulnerability, but rather an operational security issue on the part of the stablecoin issuer: failure to securely store privileged address private keys, failure to use high-threshold multi-signatures for high-value/high-risk operations, absence of time locks for large minting operations, and a lack of rapid emergency response mechanisms.

After the attacker's address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 obtained minting permissions, the attacker began large-scale minting and sent the minted stablecoins to multiple addresses:

According to Beosin's statistics, a total of 8.35M USDR and 4.5M EURR were minted. Relevant minting query link: https://etherscan.io/advanced-filter?fadd=0x0000000000000000000000000000000000000000&tadd=0x0000000000000000000000000000000000000000&tkn=0x7b43e3875440b44613dc3bc08e7763e6da63c8f8%2c0x50753cfaf86c094925bf976f218d043f8791e408&ps=50

Analysis of Stolen Fund Flow

The actual losses from this incident exceeded $3 million. After the minting, the primary receiving addresses were:

1. 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1

(This address received a total of 1,000,000 EURR)

2. 0xBb64302c6F039D4aa800CAc93E6E54856958675D

(This address received a total of 4,000,535.33 EURR, 4,610,173.19 USDR; Current balance: 324,163.04 USDR, 1,204,098.63 EURR)

3. 0xeA480c23D7B29a515856AafE0dc86F7519965a04

(This address received a total of 412.67 ETH, 2,575,966.87 USDR, 650,000 EURR)

4. 0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb

(This address received a total of 235.92 ETH, 700,000 EURR, 200,000 USDR)

5. 0x41E63c5d2AE95802868D9ef3686cC974aDA96d0d

(This address received a total of 225.54 ETH, 4,000,000 USDR, 1,000,000 EURR)

6. 0x873Ef45d10b29EB251b1Eb5Fe057C325f092a80a

(This address received a total of 2,000,000 USDR; Current balance: 1,969,000 USDR)

7. 0x8c1957765721e2540c03A0D64435a469a7266c51

(This address received a total of 1,400,000 USDR, 1,400,000 EURR; Current balance: 900,000 EURR, 900,000 USDR)

8. 0x865eC0587CdF305877783C080d97DEdD4f60398f

(This address received a total of 504,000 USDR)

Through Beosin Trace analysis, part of the illegally minted EURR and USDR was transferred to various exchanges via fund dispersion, such as ChangeNOW, Kraken, Huobi, WhiteBIT, etc., with a small amount entering the Tornado Cash mixer.

Beosin Trace can penetrate mixers like Tornado Cash as well as instant exchanges like ChangeNOW and Fixedflow, with relevant penetration results shown below:

Apart from the funds transferred to centralized exchanges, the on-chain fund retention status is as follows:

1. 0x09be1a36c2d7f9909eb3d6f9184c6e46a12b0aca

Retained Amount: 1,488.08 ETH

2. 0x464545b1f001ec64f93a31a8e678bfbd3146ef3f

Retained Amount: 510,673.98 USDR, 44,000 EURR

3. 0x9c25a3634fa04a8bac72e233c74469d5e15c5926

Retained Amount: 85.21 ETH, 15,263.22 USDT, 101,241.95 EURR

4. 0x2e74a82f6dbdfbe8fe54bd081e215c0c368c7762

Retained Amount: 8.91 ETH, 26,816.98 USDT, 250,570.03 EURR

5. 0xde7adbb368c2616df8c5c0e986933bee8f660add

Retained Amount: 13.65 ETH, 165,162.05 USDT, 38,696.42 USDR, 258,117.67 EURR

6. 0x0bc0b7b24876ac97610346ea0194735ccc271edd

Retained Amount: 100 ETH

7. 0xb8d90cffe9fdb398afec7046490d1efdb28a6386

Retained Amount: 100,000 USDR

8. 0x7ec05d1d6b0cbf4e74bd5907d01aeeb4343c6376

Retained Amount: 15 ETH

The overall fund flow is illustrated in the following diagram:

Stolen Fund Flow Analysis Diagram by Beosin Trace

This security incident proves that code audits cannot resolve operational/governance defects. Stablecoin issuers and regulators should consider proactively monitoring the circulation and operational status of stablecoins in the secondary market on a risk basis. Addressing this industry pain point, Beosin has launched a Stablecoin Monitoring system covering the entire stablecoin lifecycle: This system supports continuous monitoring of key operational indicators such as total issuance volume, minting and burning activities, holder address distribution, and on-chain transaction flows:

During the circulation phase, Stablecoin Monitoring incorporates price fluctuation and peg analysis to promptly detect de-peg risks caused by market manipulation or liquidity crises, addressing attack scenarios like the batch malicious minting of stablecoins following private key leaks in events such as StablR. It also possesses cross-chain activity tracking capabilities, enabling fund flow tracing across different blockchains. For counterfeit stablecoins issued on-chain, the system provides real-time monitoring and alerts, facilitating user identification of related fraud risks.