Original source: Beosin
On May 24, the stablecoin protocol StablR was attacked , causing its compliant Euro stablecoin EURR and US dollar stablecoin USDR to plummet by 20% due to illegal minting, resulting in actual losses exceeding $3 million . This attack stemmed from a lack of control over multi-signature permissions, once again sounding the alarm for security governance in the entire stablecoin sector.
Attack Flow Analysis
StablR is a Malta-based stablecoin issuer. Tether previously announced a strategic investment in StablR and will provide stablecoin issuance and risk management tools through its Hadron tokenization platform. Currently, StablR offers two compliant stablecoin products: EURR and USDR .
By analyzing the on-chain data, we can find that:
The multi-signature wallet controlled by EURR is 0x8278D2881dBF8F6Fc01c98d196c4b16F1aade5Bc
The multi-signature wallet that controls the minting of USDR is
0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3
Since the aforementioned multi-signature wallets only require one signature to initiate a transaction, the attacker, by controlling the owner address 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d, added the attacker's address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 to the two aforementioned multi-signature wallets.
Related transaction hash:
(1) 0x41c2504e208a3f260b2564393938b6e68f7348f5fcb8df00cde41f800f073c8a
(2) 0x5b5825ca36f4cdad02b1c777df63115e63010de77de71dba0ac60160c18100de
Through the above process, we can see that this incident is not due to a code vulnerability, but rather an operational security issue of the stablecoin issuer : the private keys of privileged addresses were not properly stored, high-threshold multi-signature was not used for high-value/high-risk operations, there was no time lock for large-scale minting operations, and a rapid emergency response mechanism was lacking.
After gaining minting privileges at the attacker address 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1, the attacker began minting coins on a large scale and sent the minted stablecoins to multiple addresses:
According to Beosin statistics, a total of 8.35M USDR and 4.5M EURR were minted. The relevant mintage query link is: https://etherscan.io/advanced-filter?fadd=0x00000000000000000000000000000000000000&tadd=0x0000000000000000000000000000000000000000&tkn=0x7b43e3875440b44613dc3bc08e7763e6da63c8f8%2c0x50753cfaf86c094925bf976f218d043f8791e408&ps=50
Analysis of the flow of stolen funds
The actual losses caused by this incident exceeded $3 million. After minting, the primary receiving address was:
1. 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1
(This address received a total of 1,000,000 EURR)
2. 0xBb64302c6F039D4aa800CAc93E6E54856958675D
(This address received a total of 4,000,535.33 EURR and 4,610,173.19 USDR; current deposits: 324,163.04 USDR and 1,204,098.63 EURR)
3. 0xeA480c23D7B29a515856AafE0dc86F7519965a04
(This address received a total of 412.67 ETH, 2,575,966.87 USDR, and 650,000 EURR)
4. 0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb
(This address received a total of 235.92 ETH, 700,000 EURR, and 200,000 USDR)
5. 0x41E63c5d2AE95802868D9ef3686cC974aDA96d0d
(This address received a total of 225.54 ETH, 4,000,000 USDR, and 1,000,000 EURR)
6. 0x873Ef45d10b29EB251b1Eb5Fe057C325f092a80a
(This address has received a total of 2,000,000 USDR; current deposits: 1,969,000 USDR)
7. 0x8c1957765721e2540c03A0D64435a469a7266c51
(This address received a total of 1,400,000 USDR and 1,400,000 EURR; current deposits: 900,000 EURR and 900,000 USDR)
8. 0x865eC0587CdF305877783C080d97DEdD4f60398f
(This address received a total of 504,000 USDR)
According to Beosin Trace analysis, some of the illegally minted EURR and USDR were transferred to different exchanges, such as ChangeNOW, Kraken, Huobi, and WhiteBIT, through a decentralized approach, with a small amount of funds entering the Tornado Cash mixer.
Beosin Trace can penetrate transactions through mixers such as Tornado Cash and instant exchange exchanges like ChangeNOW and Fixedflow. The relevant penetration results are shown below:
Aside from funds transferred to centralized exchanges, the on-chain fund holdings are as follows:
1. 0x09be1a36c2d7f9909eb3d6f9184c6e46a12b0aca
Deposited amount: 1,488.08 ETH
2. 0x464545b1f001ec64f93a31a8e678bfbd3146ef3f
Deposited amount: 510,673.98 USDR, 44,000 EURR
3. 0x9c25a3634fa04a8bac72e233c74469d5e15c5926
Deposited amounts: 85.21 ETH, 15,263.22 USDT, 101,241.95 EURR
4. 0x2e74a82f6dbdfbe8fe54bd081e215c0c368c7762
Deposited amounts: 8.91 ETH, 26,816.98 USDT, 250,570.03 EURR
5. 0xde7adbb368c2616df8c5c0e986933bee8f660add
Deposited amounts: 13.65 ETH, 165,162.05 USDT, 38,696.42 USDR, 258,117.67 EURR
6. 0x0bc0b7b24876ac97610346ea0194735ccc271edd
Deposited amount: 100 ETH
7. 0xb8d90cffe9fdb398afec7046490d1efdb28a6386
Deposit amount: 100,000 USDR
8. 0x7ec05d1d6b0cbf4e74bd5907d01aeeb4343c6376
Deposited amount: 15 ETH
The overall fund flow is shown in the following diagram:
Analysis chart of stolen funds flow by Beosin Trace
This security incident demonstrates that code audits cannot resolve operational/governance deficiencies. Stablecoin issuers and regulatory bodies should consider proactively monitoring the circulation and operation of stablecoins in the secondary market, based on risk assessment. Addressing this industry pain point, Beosin has launched a stablecoin monitoring system covering the entire lifecycle of stablecoins. This system supports continuous monitoring of key operational metrics such as total stablecoin issuance, minting and burning activities, distribution of holding addresses, and on-chain transaction volume .
During the circulation phase, Stablecoin Monitoring analyzes price fluctuations and pegging status to promptly detect risks of de-pegging caused by market manipulation or liquidity crises. This addresses attack scenarios such as the mass minting of stablecoins following private key leaks, as seen in the StablR incident . It also possesses cross-chain activity tracking capabilities, enabling the tracking of fund flows across different blockchains. For counterfeit stablecoins issued on-chain, the system provides real-time monitoring and alerts, facilitating user identification of related fraud risks.
