Stablecoins have grown increasingly popular as regulators and traditional financial institutions embrace them. A stablecoin’s peg to fiat assets reduces price volatility compared with cryptocurrencies like Bitcoin or Ether and allows it to take full advantage of blockchain technology.

However, stablecoins face various risks that could potentially lead to depegging and the failure of the cryptocurrency. One of the most significant of these is weak governance, especially since stablecoins have more off-chain components and ties to the traditional financial industry than other cryptocurrencies.

The S&P Global Stablecoin Stability Assessment Framework details the various factors that could negatively impact asset quality. Under the governance section, it details some of the top ways that governance can go wrong.

Stablecoins are more centralized and have more off-chain components than other types of cryptocurrency. They are pegged to a fiat asset, and the issuer needs to hold adequate reserves, meaning that the organization needs to acquire, secure, and potentially invest these reserves to maintain the stablecoin’s value.

As a result, the process by which the issuer makes decisions and controls on-chain decision-making is critical to a stablecoin’s security. Too much centralization — whether in terms of the decision-making itself or the on-chain account used to implement these decisions — introduces potential risks or poor decisions or an attacker gaining control over the private key used to manage a critical account. At the other extreme, too much decentralization can also introduce risk if an attacker can exploit the process to push through malicious proposals.

Stablecoins must maintain a certain level of reserves to preserve their peg and value. This supports users’ ability to redeem their cryptocurrency for the backing fiat currency. A stablecoin issuer must not only maintain adequate reserves in total but also sufficient liquidity or interconnectivity across all supported chains to manage redemption requests on each.

Poor management of reserves can leave a stablecoin issuer in a position where it can’t fulfill redemption requests. This could include holding insufficient reserves, investing too heavily in illiquid assets, failing to manage risk via diverse asset allocations, and similar errors.

If this occurs and the issuer can’t promptly fulfill redemption requests, it runs the risk of a bank run, where users will rapidly attempt to pull their money out of the (allegedly) failing stablecoin. This can cause a downward spiral, and the stablecoin to fail entirely.

Stablecoins are largely built on trust. In theory, a stablecoin issuer will maintain sufficient reserves and invest them in a way that protects their value. If this is the case, they’ll be able to meet redemption requests and keep the stablecoin’s 1:1 peg.

This dependence on trust and the value of reserves to maintain value makes audits critical to the success of a stablecoin. Stablecoin issuers need to perform regular — ideally continuous — Proof of Reserves (PoR) audits to demonstrate that they maintain adequate reserves. Otherwise, the potential exists for a bank run if users decide that a stablecoin lacks enough reserves and want to get their money out before the reserves are exhausted.

A failure to perform regular audits by a trusted third-party auditor can place stablecoin issuers at risk of a bank run. This could involve stale audit data or audits performed in a way that raises users’ suspicions that something isn’t right.

Stablecoin issuers can potentially make all of their money through fees; however, the need to maintain a reserve means that they’re perpetually holding a significant amount of capital. The ability to invest these reserves offers the potential to make additional money on interest and to offset the potential impacts of inflation or other associated risks with the associated fiat currency.

However, the decision to invest reserves in stocks, bonds, or other financial instruments also introduces potential risks. For example, investment in less liquid assets means that the stablecoin issuer is betting that they won’t need quick access to that capital to meet redemption requests. Additionally, the value of stocks, bonds, and other assets may change, potentially threatening the strength of the stablecoin’s reserves.

Stablecoin issuers need to develop an investment portfolio that manages risk and doesn’t introduce a significant threat to the stablecoin. A healthy mix of liquid and illiquid assets that is diverse enough to be resilient against market movements is essential to maintain a stablecoin’s peg.

Stablecoin governance is a combination of process and technical controls. While a stablecoin issuer may have policies stating how something is supposed to work, this official process has little real value unless it’s also backed by technical controls.

For example, PYUSD, a regulated PayPal stablecoin, experienced an incident in October 2025 where Paxos accidentally minted approximately $300 trillion worth of the cryptocurrency during a botched internal transfer. This was possible because a single private key controlled an account with unlimited minting permissions for the stablecoin smart contract.

While the stablecoin may have strategies in place to maintain adequate reserves and ensure a 1:1 peg, this security gap completely undermined them. If the mint had been performed by an attacker, rather than by someone who immediately burned the excess tokens, the stablecoin’s peg would have been completely destroyed.

An effective stablecoin governance strategy is one backed by controls designed to enforce its processes and policies. Even the best strategy can be undermined if it relies on the security of a single private key that is compromised by an attacker. Additionally, logical errors in smart contract code may introduce significant discrepancies between what a smart contract is intended to do and what it actually does.

Halborn offers advisory and auditing services designed to support stablecoin issuers at every stage of the development process, from initial design to deployment on-chain. For help ensuring compliance with security best practices, regulatory requirements, and internal security goals, get in touch with Halborn.