Stake DAO is facing an ongoing exploit tied to its vsdCRV token on Arbitrum. Blockchain security firm Blockaid said an attacker minted more than 5.4 trillion vsdCRV and began swapping the tokens for ETH.
Summary
- Stake DAO warned users not to interact with vsdCRV as the exploit remained active.
- Security researchers said an attacker minted about 5.4 trillion vsdCRV on Arbitrum before swapping funds.
- The suspected cause was a compromised deployer key used to alter LayerZero peer settings.
Stake DAO confirmed it was aware of the situation and told users not to interact with vsdCRV. The project’s warning came as researchers continued tracking the attacker’s activity across Arbitrum and Ethereum.
vsdCRV, or vote-boosted sdCRV, is tied to the Curve Finance ecosystem and used within Stake DAO’s yield products. The token became the center of the incident after the attacker allegedly gained enough control to mint a huge supply.
PeckShield said part of the minted funds had already been swapped for 43.78 ETH, worth about $91,000, and bridged to Ethereum. The incident remains a developing story, and final loss figures may change as more transactions are traced.
Researchers point to deployer key compromise
Blockaid said the suspected root cause was a compromised Stake DAO deployer private key. According to the firm, the attacker used that access to reconfigure the LayerZero v2 OFT peer for the vsdCRV token contract.
That change allegedly redirected trust from the legitimate Ethereum-side adapter to a malicious contract controlled by the attacker. The attacker then sent a forged cross-chain message that triggered the minting of roughly 5.44 trillion vsdCRV.
BlockSec described the attack as a case where the attacker appeared to obtain the deployer’s private key and set an arbitrary peer for vsdCRV. The firm said the forged message then caused unconditional minting to the attacker’s address.
The incident shows how privileged access remains a major risk in DeFi. Even when smart contract code works as designed, a compromised deployer key can give attackers the ability to change trusted settings and trigger losses.
DeFi security concerns deepen
The Stake DAO exploit follows a series of recent DeFi incidents. As previously reported by crypto.news, OpenZeppelin co-founder Manuel Aráoz said he now considers “all of DeFi” unsafe and has advised friends and family to exit DeFi positions.
Aráoz argued that coding agents are becoming strong tools for finding vulnerabilities, while defenders still need to fix every weakness before attackers find one. His comments came as DeFi protocols lost about $629.7 million to hacks in April.
Separately, Wasabi Protocol lost more than $5 million across Ethereum, Base, Berachain, and Blast after a compromised admin key allowed attackers to upgrade contracts and drain funds.
That case resembles the current Stake DAO concern because both incidents involved privileged key access rather than a simple market manipulation event. Wasabi also warned users not to interact with its contracts while the team investigated.
Cross-chain risks remain in focus
The Stake DAO incident also points back to cross-chain token risks. Security reports have tracked repeated attacks involving bridges, peer settings, and message validation across chains in 2026.
BlockSec’s May security roundup listed multiple incidents across Ethereum, Sui, BNB Chain, Base, Blast, and Berachain, with total losses of about $15.9 million over a two-week period. Its blog also identified Wasabi as a key-compromise case.
In April, Kelp DAO suffered one of the year’s largest DeFi exploits after attackers drained about $292 million from a LayerZero-powered bridge. The breach raised concerns about cross-chain asset backing across more than 20 networks.
