Last week's $13.5mn exploit targeting StablR floored a stablecoin issuer that passed all the regulatory tests, but it used an underlying weakness that the EU's MiCa regulatory regime wasn't designed to cover.
StablR Exploit Exposes EU Rules Weakness by Targeting Fully Compliant Issuer
27 May 2026 - 17:44 CEST
By Isabelle Castro
Three days after the 24 May attack on StablR's minting contract, both the EURR and USDR stablecoins remain frozen. The attacker was found to have accessed their multisig configuration, which used a 1-of-3 scheme, made themselves administrator and minted USDR and EURR tokens which they then sold on low-liquidity DEXs.
The exploit amounted to approximately $13.5mn and caused both stablecoins to depeg from their related fiat currencies.
StablR said it has filed notifications with the Malta Financial Services Authority (MFSA) under both MiCA and the EU's Digital Operational Resilience Act (DORA), as well as bringing in external cybersecurity firms. No recovery plan has yet been announced.
The reserves backing the stablecoins prior to the incident remain intact.
Backed but broken
The StablR incident marks a devastating fall for what was a poster child of European digital asset compliance. The euro-backed stablecoin was one of only eight stablecoin EMTs (e-money tokens) licenced under the MiCA framework.
That framework had been informed by the collapse of TerraUSD in May 2022, which acted as a case study in reserve failure. In the case of Terra, an algorithmic token with no hard backing erased approximately $45bn in value in under a week. In response, reserve backing became a major focus for regulators.
MiCA compliance requires issuers to maintain 1:1 reserves held in segregated custody, meeting strict liquidity criteria. Issuers must additionally publish a compliant whitepaper, meet governance disclosure requirements and satisfy AML/KYC obligations. StablR passed all the necessary requirements.
What the regulation does not contain, according to its published text, is any provision governing the security architecture of the infrastructure that issues the tokens. There is no prescribed minimum for a minting multisig, no required standard for private key management and no mandate for third-party audits of onchain minting controls. The regulatory audit certifies what backs the coin but is not required to certify who controls the keys that create it.
DORA, which became applicable in January 2025 and covers crypto-asset service providers (CASPs) licensed under MiCA, was designed to address the ICT gap. Its provisions require incident reporting, third-party vendor management and resilience testing, but DORA's framework was built around conventional IT infrastructure and a compromised key on a minting contract is not a conventional penetration-testing target.
According to security firm Blockaid, which attributed the StablR breach to a key management and governance failure rather than a smart contract vulnerability, the attack vector is not the kind of risk DORA was designed to catch.
What regulation missed
The result, in StablR's case, was that a fully compliant issuer produced the outcome that regulation was designed to prevent, through an unforeseen method. The weakness in the multi-sig, rather than the stablecoin's reserves, caused the unbacked stablecoins to be released into circulation and create a depegged market.
StablR surfaces a critical blindspot soon after MiCA entered into a period of consultation to discuss whether it is still fit for purpose. Key management and privileged-access failures have driven the year's most costly exploits. These cases, along with StablR's most recent hack may prompt formal action such as the implementation of minimum multisig standards as a condition of EMT authorization, or targeted amendments to DORA's scope.
StablR's case is the first time this has impacted a fully MiCA-licensed issuer, with all the compliance paperwork reportedly in order.
