🔎 Looking for DD.xyz? DD your tokens and addresses here:
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
← Back to blog

Alerting on the StablR Exploit Before the Peg Broke. Here's What Our Systems Saw.

June 2, 2026
Alerting on the StablR Exploit Before the Peg Broke. Here's What Our Systems Saw.

On May 23–24, 2026, StablR lost $13.5 million to a compromised governance key, the same attack class that took $80 million from Resolv's USR protocol two months earlier. Webacy's monitoring systems detected it, and alerted to our partners early enough to make an impact. Our price oracle monitor flagged anomalous sell velocity on USDR before the price had broken, registering brief, sharp attacker sells in our 5-minute velocity signal while spot price still appeared normal to any passive observer (the same early-detection capability that caught the USR depeg 2 hours and 17 minutes before Resolv Labs' official announcement in March). Our Peg Canary supply velocity system then flagged both USDR and EURR simultaneously, identifying them as a coordinated minting event from the same governance structure before the full scope of the attack was publicly understood, with both tokens having exceeded 100% of pre-existing circulating supply in unauthorized mints. Vault risk scoring updated automatically from there, issuing exit recommendations for USDR and EURR-exposed positions before prices reached their intraday lows of $0.61 and $0.83 respectively. What follows is a full account of what our systems saw, when, and what it means for how stablecoin risk infrastructure needs to be built.

The StablR Exploit: What Our Monitoring Systems Saw

Two stablecoin depegging events, two months apart, same sequence: a compromised private key, anomalous rapid minting, a collapsing peg, and cascading effects across DeFi. On March 22, Resolv's USR protocol lost $80M to unauthorized minting, $25M extracted by the attacker, a stablecoin that still hasn't recovered its peg. On May 24, StablR lost $13.5M to the same mechanism: a governance key compromised, 8.35 million USDR and 4.5 million EURR minted into thin liquidity, both tokens depegging within hours.

This is not coincidence but a pattern emerging in the stablecoin ecosystem, and it points to a real gap in how stablecoin risk is currently monitored and managed. Smart contract exploits and oracle failures have established defenses and detection tooling built around them. The compromised-key minting attack, characterized by sudden anomalous supply growth, rapid sell pressure, and cascading exposure through vaults, lending markets, and liquidity pools, largely does not. Both events are evidence that new detection patterns and risk management approaches are needed specifically for this attack class.

The attack on StablR began at 23:47 UTC on May 23, 2026, when the first unauthorized EURR transaction hit Ethereum mainnet. Ten minutes later, at 23:57 UTC, unauthorized USDR minting began. What followed over the next several hours was 8.35 million USDR and 4.5 million EURR, $13.5 million in unbacked tokens, flooding into on-chain liquidity pools.

What follows is our monitoring of both tokens through the attack: what the price monitor caught, when, and why USDR was flagged about 75 minutes before EURR despite EURR minting starting first.

THE ATTACK: A GOVERNANCE FAILURE, NOT A PROTOCOL HACK

StablR operated a 1-of-3 MultiSigWallet for governance and minting authority, confirmed on-chain: three signers, threshold of one. With only one confirmation required, any single compromised key is enough to execute any transaction the multisig controls, including calls to the unrestricted mint function. This is all the attacker needed.

The attack unfolded across two tokens over roughly four hours. EURR minting started first, at 23:47:35 UTC, with 1 million tokens sent to a single recipient. A second EURR transaction followed at 23:51:35 UTC. USDR minting began at 23:57:59 UTC. From there, both tokens were minted in waves: smaller tranches of 100K to 1M tokens across dozens of transactions across both tokens, distributed to multiple recipient addresses and swapped through decentralized exchanges as liquidity allowed.

Pre-event supply for USDR was approximately 6.74 million tokens. The attacker minted 8.35 million across the first wave of transactions, more than the entire pre-existing circulating supply, by 01:48 UTC. EURR had approximately 12.4 million in pre-event supply; the attacker added 4.5 million through 01:22 UTC. The minted tokens were swapped for ETH across decentralized exchanges, realizing approximately $2.8 million in profit (roughly 1,115 ETH) before liquidity conditions made further exits untenable.

The Resolv USR exploit in March followed a similar pattern: compromise of privileged mint authorization infrastructure enabled the attacker to mint roughly 80 million unbacked USR across two transactions. Small USDC deposits (~$100K–$200K) were used to trigger massively inflated mint outputs due to insufficient validation and lack of effective mint constraints. The attacker extracted roughly $25M before liquidity collapsed and USR lost its peg. While the implementation details differed from StablR, both incidents shared the same structural weakness: concentrated privileged control over stablecoin issuance with insufficient safeguards between authorization and mint execution.

WHAT OUR SYSTEMS SAW

Our stablecoin monitoring infrastructure runs in layers. The price oracle monitor polls on a rolling cycle and scores tokens across price deviation, velocity, and volume signals. Our Peg Canary system runs at six-hour intervals, scoring tokens on supply velocity: minting activity relative to circulating supply. (Keep in mind that private instance Peg Canary system can run at smaller intervals)

In both the USR and StablR events, these layers caught the attack from different angles at different times. For StablR specifically, the two tokens told different stories in the price monitor: USDR was flagged about 75 minutes before EURR, despite EURR minting starting ten minutes earlier.

PRICE MONITOR: USDR FLAGGED AT 00:46 UTC

The price monitor's first USDR reading on May 24 was at 00:16 UTC, nineteen minutes after the first unauthorized USDR mint. The score was 2. The price was $0.9985. Nothing visible yet.

At 00:46 UTC, the score jumped from 2 to 52 in a single reading.

The price at that moment was $0.9983, just 17 basis points below peg. A passive observer watching USDR's current price would have seen nothing. What the monitor saw was different: the price_deviation_5m signal had maxed out. Not because USDR was far from peg, but because the rate of price movement in the preceding five minutes was anomalous relative to any historical baseline. The attacker's early sells were creating brief, sharp pressure on DEX pools that partially recovered between transactions. The absolute price barely moved. The 5-minute velocity told a different story.

The score reached 76, DANGER band, by 01:48 UTC, 110 minutes after the first unauthorized USDR mint. Price had broken badly at 01:31, recovering partially to $0.985 by 01:48 before collapsing again through 02:16. By mid-morning USDR was trading at $0.6185, its worst reading of the day. It has not recovered its peg.

The reason USDR was flagged early while EURR was not comes down to data. USDR had enough on-chain DEX activity for the 5-minute velocity signal to register the early sell pressure. EURR's on-chain liquidity was thinner: the monitor fell back to an oracle reference price, which updated more slowly. This is a structural limitation which depends on the quality of real-time price data available for each token.

PRICE MONITOR: EURR FLAGGED AT 02:00 UTC

The price monitor caught EURR at 02:00 UTC, more than two hours after the first unauthorized EURR mint at 23:47 UTC. EURR is a Euro-backed token; its reference price tracks EUR/USD, approximately $1.158 pre-event. The delay reflected the thin on-chain liquidity for EURR: the monitor was relying on reference data rather than live DEX prices, and that reference data lagged the actual market impact.

By 02:00 UTC the price feed had registered a 5% drop from pre-event levels. By 03:00 UTC, $0.896, a 22.7% drop from $1.158. The score in the early hours was held back by the lack of live DEX data: with reference-only pricing, the velocity and persistence signals could not fully express the severity of what was happening. The score stayed in the 54-59 range through 04:01 UTC even as the price fell to $0.872. It escalated sharply later in the morning, from 68 to 88 between 08:00 and 09:00, as the sustained depeg accumulated persistence signal weight. EURR's intraday worst price, $0.836 at 16:46 UTC, arrived hours after the score had already been in ALERT/DANGER range, as the price continued grinding lower even after the initial sell pressure subsided.

PEG CANARY: BOTH TOKENS FLAGGED AT 03:49 UTC

At 03:49 UTC, PEG CANARY ran its scheduled six-hourly supply velocity analysis. Supply velocity measures 24-hour minting volume as a percentage of circulating supply. For fiat-backed tokens like USDR and EURR, where minting should track collateral deposits or redemption activity, our alert threshold is 10%. Routine institutional activity rarely pushes above 3-4% in any 24-hour window.

At the 03:49 UTC run, both tokens were well outside that range:

Both tokens scored identically: 40, WATCH band. The supply velocity signal normalizes to its maximum (1.0) once minting exceeds the 10% threshold, so both tokens hit the ceiling regardless of the difference in raw velocity. Across the multiple scoring signals the weights distribute identically for both tokens and the composite score converges to the same number. The supply flow index confirmed the minting in real time. Hourly snapshots show the 24-hour net minting percentage building across the morning.

ONE COORDINATED ATTACK, TWO TOKENS

When two tokens from the same protocol score identically on a supply velocity signal at the same Peg Canary system run, the most plausible explanation is a coordinated minting event. The full picture across both monitoring layers:

The same attack, running simultaneously on two tokens, produced two different detection timelines based purely on available data quality. The USR event produced a single-token signal: 66.3 million USR in the 24-hour supply window, a velocity that hit the ceiling immediately. StablR added a second dimension: two tokens, same governance structure, same attacker, same run, identical PEG CANARY scores. A system watching supply at the individual contract level catches both simultaneously.

CASCADING EFFECTS: FROM SIGNAL TO EXIT

When our Peg Canary system issues a WATCH flag, it feeds directly into our vault universe risk scoring. Vaults holding USDR or EURR as underlying collateral or yield-bearing positions had their composite risk scores updated in the next vault rating cycle.

By 03:49 UTC, the price monitor had been at 52+ on USDR since 00:46 UTC and at 56 on EURR since 02:15 UTC. When PEG CANARY confirmed both tokens at WATCH on supply velocity, the combined signals crossed the threshold for exit recommendations. Vault exit recommendations for USDR and EURR-exposed positions were issued following the 03:49 UTC run.

From there the cascading effects took on their own momentum. Exit pressure reduced pool liquidity. Thinner liquidity amplified the price impact of each subsequent swap. That price impact pushed the monitor scores higher: USDR from 76 in intervals to 89; EURR from 59 in intervals to 88. Each increment reinforced the exit signal for any position that had not already acted. 

The USR event showed the same cascade at a larger scale. The mechanics are identical in both incidents: supply shock drives price impact, price impact triggers liquidations and exit, liquidations drain liquidity, thinner liquidity amplifies the next price move. The attack does not stay inside the depegging token. It propagates through every protocol that holds it.

AN EMERGING PATTERN, AND WHAT IT REQUIRES

The StablR incident, taken alongside USR, establishes a pattern. Compromised private key. Anomalous rapid minting. Depeg. Cascading exposure through the ecosystem. Two events in two months, different protocols, different scales, same sequence.

This pattern has specific properties that existing risk infrastructure was not built to catch. Price-based monitoring catches the depeg after liquidity has already absorbed part of the shock. On-chain supply monitoring catches the minting event as it happens, before the price fully reacts, before official announcements, before most market participants have understood what is occurring. In both events, the on-chain Transfer(from=0x0) record was the earliest available signal, and supply velocity was the metric that made it legible.

The detection story for USDR adds another dimension. The price_deviation_5m signal caught anomalous sell velocity at 00:46 UTC when USDR was trading at $0.9983, 17 basis points from peg, within expected range by any standard metric. The 5-minute velocity signal was registering what the spot price was not: brief, sharp sells from early minting activity being partially absorbed by arbitrage. This is an earlier and quieter signal than a visible depeg. Building detection around it means catching the attack before the cascade, not after.

The defense requirements this pattern suggests are different from those for flash loan attacks or oracle manipulation. Flash loan attacks resolve in a single transaction. Oracle attacks are visible in price feed divergence. The compromised-key minting attack is slower, quieter in its early stages, and detectable primarily through supply growth anomalies and velocity anomalies before price reacts. Monitoring needs to run at the contract address level, not the symbol level. Alert thresholds need to be calibrated to what legitimate minting activity looks like for each token type. Vault and lending risk systems need to act on supply signals, not just price signals, to reduce exposure before the cascade reaches their positions.

Supply velocity is not the complete answer. But in both the USR and StablR events it was one of the clearest early available signals. Building detection and risk reduction around it, and wiring it directly into vault scoring and position management, is a step in the right direction.

The governance failures that enabled these attacks are preventable. A higher multisig threshold, hardware signing requirements, or a timelock on minting operations would have raised the bar significantly in both cases. But governance hardening is only half the picture. The protocols, vaults, and lending markets that hold stablecoins as collateral need their own layer of defense: early warning on supply anomalies and velocity anomalies, not just price, and the infrastructure to act on that warning before the cascade reaches their positions.

THE BOTTOM LINE

The StablR exploit is the second major compromised-key minting attack in two months, and it will not be the last. Protocols, vaults, exchanges, and any institution holding stablecoins as collateral need supply velocity monitoring and real-time risk scoring wired into their risk infrastructure before the next one, not after. Webacy's platform provides exactly that: continuous, explainable, institutional-grade risk intelligence that flags anomalous minting activity, scores vault exposure, and issues exit signals before the cascade reaches your positions. If you're ready to stop relying on price as your first signal, get in touch.

Read More
How Should Vault Liquidity Risk Be Measured? A Framework for Continuous Onchain Assessment

How Should Vault Liquidity Risk Be Measured? A Framework for Continuous Onchain Assessment

Tokenized Asset Risk: What AML and KYC Can't Protect You From

Tokenized Asset Risk: What AML and KYC Can't Protect You From

How Digital Asset Ratings Work: The Infrastructure Behind Onchain Risk Intelligence

How Digital Asset Ratings Work: The Infrastructure Behind Onchain Risk Intelligence

API’s powered by AI for decisioning, diligence, and data for anything on-chain.
© 2026, WEBACY.COM
Resources
API DocsDD.xyzStatusWebacy PluginBlogDAR•CBlock AwardsWebacy Talks
Company
CareersTrust and SafetyMedia KitContact Us