Stake DAO hit by exploit as attacker mints 5.4T vsdCRV on Arbitrum

An attacker exploited Stake DAO on Arbitrum, minting 5.4 trillion vsdCRV tokens after compromising the protocol's deployer private key.

"The suspected root cause is a compromised Stake DAO deployer private key, which allowed the attacker to set an arbitrary peer for vsdCRV and forge a malicious message triggering unconditional minting," BlockSec said on X.

The attacker minted exactly 5,446,744,073,709.551615 vsdCRV via a LayerZero v2 Executor call on May 27 at 09:17:58 UTC, according to Arbiscan data. PeckShield reported that 43.78 ETH, worth about $91,000, has been swapped so far and bridged to Ethereum. vsdCRV is a vote-boosted wrapper around sdCRV, Stake DAO's liquid locker token used in the Curve Finance governance ecosystem.

The exploit adds to a brutal stretch for DeFi security — more than $600 million has been lost across dozens of hacks since April, led by the $293 million Kelp DAO exploit linked to North Korea's Lazarus Group. No verified postmortem or final loss estimate has been disclosed by Stake DAO, and the exploit appears to be ongoing.

The distinction between a key compromise and a smart contract bug matters for recovery prospects. Smart contract vulnerabilities can be patched. A compromised private key means the attacker gained control over critical minting authority — in this case, the deployer wallet for vsdCRV on Arbitrum — without sufficient safeguards such as multisig or timelock protections.

The incident also raises fresh questions about cross-chain security. Stake DAO uses LayerZero for token movement across networks. While LayerZero itself was not compromised, the ability to mint unbacked supply on a destination chain highlights the risks inherent in bridge-based token architectures. The Kelp DAO exploit in April similarly exploited a forged LayerZero packet to unlock rsETH across chains.

Liquidity pools containing sdCRV or vsdCRV face potential imbalances as the attacker continues to dump inflated supply. Holders of sdCRV must assess whether the underlying CRV backing remains intact. Competitors in the Curve Wars, particularly Convex Finance, could benefit from a flight to safety if user confidence in Stake DAO erodes.

This article is for informational purposes only and does not constitute investment advice.