Introduction of Stablecoins

Stablecoins are a type of crypto-asset designed to maintain a stable price by linking each token to an external reference asset, most often a national currency like the U.S. dollar, but sometimes commodities like gold. In theory, every coin in circulation should be redeemable for an equal amount of that reference asset, protecting holders from the sharp price fluctuations typical of unpegged digital currencies.

Stablecoins are essential to the crypto ecosystem because they provide price stability and quick settlement. They support decentralized finance (DeFi) applications, facilitate cross-border payments, and offer on-chain liquidity for traders. Their popularity has led to rapid growth; as of July 2025, the stablecoin market exceeded $250  billion in capitalization. This growth highlights the attractiveness of stablecoins as a bridge between traditional finance and blockchain systems, particularly for institutions seeking to leverage blockchain’s efficiency without the risks associated with cryptocurrencies, such as Bitcoin.

However, stablecoins are not without risks. The very features that make stablecoins attractive—broad usage and perceived safety—also make them targets for cyberattacks and scrutiny by regulators. In recent years, several high-profile failures and attacks have highlighted the fragility of poorly designed or managed stablecoins. For example, the collapse of TerraUSD (UST), an algorithmic stablecoin, in May 2022 wiped out tens of billions of dollars in value, shaking market confidence and causing broader crypto-market instability contagion. Such incidents demonstrate that, if a stablecoin loses its peg or is compromised, the consequences can be systemic. For institutions and enterprises considering launching their own stablecoin, it is crucial to understand these risks and implement robust safeguards from the outset.

In 2025, regulators on four continents all moved to recast fiat-backed stablecoins as tightly supervised, e-money-style payment assets:

The U.S. GENIUS Act cleared the Senate on June 18, demanding OCC-chartered or bank issuers, 1:1 cash/T-bill reserves and monthly disclosures. The EU issued guidance on June 25 under MiCA (fully applicable since the beginning of 2025 and covering stablecoins, among other digital assets and providers) that lets tokens from the same licensed group flow interchangeably across EU and non-EU entities. South Korea’s June roadmap inside its Digital-Asset Basic Act ties bank-led won-coins to bankruptcy-remote reserves. Hong Kong’s Stablecoin Ordinance, passed on May 21 for an August launch, mandates full reserves, daily reconciliation, and next-day redemption.

By anchoring issuance to prudentially supervised firms, enforcing granular transparency, and embedding AML/CFT rules, these laws collectively legitimize stablecoins, and lay the groundwork for much broader retail and commercial uptake.

Types of Stablecoins

Not all stablecoins are built alike. The design and backing of a stablecoin determine both its stability mechanisms and its risk profile. Generally, most stablecoins fall into one of several categories based on the type of collateral. However, this isn't the only way to distinguish stablecoins; they can also be categorized by their level of centralization or decentralization, the pegging mechanisms they use, and the types of yield mechanisms involved.

Fiat-Collateralized Stablecoins

These tokens are backed 1:1 by reserves of fiat currency or equivalents held by a central issuer. Examples include USDC and USDT, which mostly maintain reserves in cash and short-term securities, such as Treasury bills. This model is straightforward—each token is redeemable for a unit of fiat—but it requires users to trust the issuer to securely hold reserves and honor redemptions. While fiat-backed stablecoins often strive for transparency (through audits or attestations) and regulatory compliance, they introduce custodial risk and a central point of failure: the issuer’s operational security and integrity. If the issuer’s treasury is hacked or if its reserves are mismanaged or frozen by authorities, the stablecoin can quickly become unstable.

Commodity-Collateralized Stablecoins

These tokens are backed 1:1 by physical commodities—most commonly gold, but also silver, platinum, or even oil—held by a designated custodian on behalf of the issuer. A flagship example is Pax Gold (PAXG): Each Pax Gold (PAXG) token is backed by one fine troy ounce of gold, stored in LBMA vaults in London. Like fiat-backed coins, the model is conceptually simple—each token is a digital warehouse receipt—but it shifts reserve risk from cash to tangible assets. Holders must still trust the issuer and vault operator to safeguard the bars, publish regular third-party attestations, and process redemptions; any lapse (e.g. theft, seizure, or faulty audits) can break the peg.

Crypto-Collateralized Stablecoins

These stablecoins, like DAI or USDS, are backed by cryptocurrency collateral instead of cash. Users lock volatile crypto assets (e.g. Ether) in smart contracts to mint stablecoins, typically over-collateralizing to account for crypto’s price swings. The advantage is that custody is decentralized—reserves are on-chain and transparently verifiable. However, this design relies on complex smart contracts and price oracles to maintain the peg. Smart contract bugs or oracle failures can threaten the stability of decentralized stablecoins. Additionally, in sharp market downturns, if collateral value falls too quickly, automated liquidation mechanisms may fail to keep the stablecoin fully collateralized, leading to a loss of peg.

Non-collateralized (Algorithmic) Stablecoins

This is an experimental class of stablecoins that attempt to maintain their peg through algorithms and market incentives, rather than full reserve backing. They may use a secondary token or dynamic supply adjustments to stabilize the price. While innovative, purely algorithmic stablecoins have proven highly risky. Without robust collateral, they are fragile in a crisis, as demonstrated by TerraUSD’s collapse, where a death spiral in its algorithmic design wiped out over $60 billion in value. Some newer models are hybrid (partially collateralized with crypto or other assets), but still depend on unproven mechanisms and strong market confidence. For institutional issuers, algorithmic approaches pose significant risk and thus demand extreme caution and thorough testing.

Security Issues of Stablecoins

Smart Contract Risks

Smart contract risk is a primary concern for decentralized stablecoins and any stablecoin integrated into DeFi protocols. Stablecoins run on blockchain smart contracts, which, if flawed, can be exploited by attackers. Hackers actively search for code vulnerabilities, such as underflow/overflow, reentrancy bugs, missing access controls, price manipulation, or flash loan attacks, in smart contracts. Exploiting these bugs can allow an attacker to manipulate the stablecoin’s supply or steal the collateral backing the coin.

A notable incident illustrating on-chain vulnerabilities occurred on Cashio App in 2022. Cashio is a decentralized stablecoin backed by interest-bearing Saber USD liquidity provider tokens on the Solana blockchain. The attacker exploited a vulnerability where the code failed to verify that the banking token and the minted token matched, allowing the use of worthless tokens to mint real CASH tokens. By depositing valueless collateral, the attacker drained value from the protocol and minted CASH tokens. The missing validation code led to an attack resulting in

For institutions planning to launch or use stablecoins, rigorous smart contract auditing is essential. Before deployment, contracts should be reviewed by security experts to catch vulnerabilities and verify that collateral and minting logic are sound.

At CertiK, our blockchain security team specializes in auditing smart contracts for stablecoins and DeFi protocols. CertiK leverages formal verification and exhaustive testing to identify bugs or logic errors before they can be exploited. By engaging professional auditors, stablecoin issuers can greatly reduce the risk of on-chain exploits, protecting both their users and their token’s reputation.

Custodial and Off-Chain Risks

Even if the on-chain code is secure, stablecoins can be undermined by weaknesses in the off-chain systems and key management that support them. Centralized stablecoin issuers face custodial risks: they must safeguard the private keys that control minting and redemption, and protect the bank accounts or assets that back the stablecoin. If these off-chain elements are compromised, an attacker could steal reserve funds or issue new tokens illegally, thereby breaking the stablecoin’s peg. Decentralized stablecoins are not immune either—they often rely on off-chain or cross-chain bridges and oracles, which have their own vulnerabilities. In short, a stablecoin’s security is only as strong as the security of its entire technical and operational infrastructure, both on-chain and off-chain.

A prominent example of custodial failure occurred with Tether (USDT), the largest fiat-backed stablecoin. In November 2017, hackers compromised Tether’s treasury systems and stole approximately $31 million worth of USDT by illicitly transferring tokens out of the Tether Treasury wallet via gaining control of the issuer’s keys or system. In response, Tether had to perform emergency protocol updates to freeze the stolen tokens and reassure the market. The incident highlighted how even a well-established stablecoin can suffer losses and trust damage due to off-chain security lapses.

Mitigating custodial and backend risks requires robust security practices at the organizational level. CertiK offers penetration testing and secure infrastructure design services to stablecoin issuers and partners. CertiK simulates real-world attack scenarios on the issuer’s web portals, APIs, key storage modules, and internal networks to identify weaknesses before criminals do. In addition, it is advised to use secure key custodian solutions, such as multi-signature schemes, hardware security modules (HSMs), and operational policies, to prevent single points of failure in minting or reserve management. By hardening the off-chain environment and adopting strict operational security, stablecoin issuers can prevent breaches that might otherwise lead to unauthorized token issuance or loss of reserve assets.

Compliance and Proof-of-Reserve Challenges

Security risk isn’t limited to hacks—it also encompasses legal, regulatory, and financial integrity risks. Stablecoins operate at the intersection of cryptocurrency and traditional finance, so regulatory compliance and transparent proof-of-reserves (PoR) are crucial for their long-term viability. Regulatory bodies worldwide have intensified their scrutiny of stablecoin issuers, focusing on issues such as consumer protection, anti-money laundering (AML) controls, and reserve adequacy. Failure to meet compliance obligations can lead to serious consequences, including fines or the shutdown of the stablecoin. Similarly, any ambiguity or misrepresentation about a stablecoin’s reserve status can weaken user trust and attract regulatory scrutiny. In simple terms, both regulators and users need confidence that a stablecoin is fully backed and transparent about its backing, and that it isn’t used for illicit finance.

History offers cautionary tales. Tether, for instance, faced accusations for years about the true backing of USDT. In 2019, a legal affidavit by Tether’s own counsel revealed that USDT was only about 74% backed by cash or cash equivalents at that time—meaning it did not hold $1 in reserve for every token in circulation. This confirmation of partial reserves (at least during that period) validated concerns that Tether had sometimes operated without full collateralization. The revelation led to settlements with regulators and prompted Tether to improve its transparency, but it also demonstrated how undisclosed reserve shortfalls can pose systemic risks if not addressed.

More recently, while still being the leading stablecoin by market cap, Tether renounced the European market due to the stringent applicable requirements necessary to obtain the license. Consequently, all exchanges and other crypto assets service providers in Europe delisted USDT from their platforms.

Robust compliance and transparent reserves are as important as technical security. To build trust with both users and regulators, issuers should implement regular third-party audits or attestations of their reserves and publish the results. CertiK supports stablecoin projects through our Compliance and PoR advisory services.

Our Services

Advisory Service

Comprehensive technical and compliance evaluations of Web3 projects and digital assets ensure they meet the rigorous security standards required by institutional investors, hedge funds, venture capital firms, and more. CertiK offers bespoke research, licensing support, and analysis services, providing actionable insights into the highly technical and security-conscious world of blockchain. Empower your Web3 organization with strategic product roadmaps, create an identifiable Web3 brand, engage users, and thrive in the complex ecosystem.

Smart Contract Audit

A comprehensive security assessment of your smart contract and blockchain code to identify vulnerabilities and recommend ways to fix them. Our industry-leading audit methodology and tooling includes a review of your code’s logic, with a mathematical approach to ensure your program works as intended.

Penetration Testing

Take a proactive approach to security. Identify your project’s flaws before attackers do. CertiK’s penetration testing service examines and exploits application, network, and cloud infrastructure using the same expertise and tools as black hat hackers, in order to protect against them.

Proof of Reserves Service

Demonstrate transparency and build lasting trust with CertiK's Proof of Reserves audit. Our independent, Skynet-enabled solution verifies your reserves in real time, protecting users, investors, and stakeholders while helping you meet regulatory expectations. Offer the public verifiable assurance backed by continuous monitoring and industry-leading security standards.

Team Verification

CertiK Team Verification provides private identity verification for project teams through a rigorous vetting process while maintaining the highest standards of data protection.

Skynet

Skynet provides a wealth of data-driven insights for Web3 projects and communities. End-to-end security tools combine with on-chain and off-chain data, resulting in an all-in-one Web3 security analysis platform.

SkyInsights

SkyInsight is CertiK's on-chain intelligence and risk analytics platform designed to enhance security, compliance, and transparency across the blockchain ecosystem. It leverages a real-time API framework to deliver actionable insights by aggregating, classifying, and analyzing data from wallets, smart contracts, and transactions. SkyInsight provides entity attribution, behavioral classification, and risk scoring for addresses and transactions, enabling seamless integration with AML/CFT systems, transaction monitoring engines, and security infrastructures.

Bug Bounty

Combining years of Web3 security experience with a well-established technical community, CertiK’s Bug Bounty is the only Web3 platform providing fully managed end-to-end support with 0% fee on bounty payouts. Setting up a bug bounty with CertiK allows projects to utilize the intelligence of ethical hackers to further derisk their code from additional vulnerabilities.

Incident Response

Get 24/7/365 incident coordination and command, technical contract and on-chain analysis, forensic investigation, expert guidance, and response to any Web3 cybersecurity incident backed by our intelligence with comprehensive after-action reporting.