Stake DAO, a DeFi platform focused on automated yield strategies, is facing an ongoing exploit, multiple blockchain security firms reported on Wednesday.
The attacker minted over 5.4 trillion vsdCRV on Arbitrum and is actively swapping it for ETH, Blockaid noted on X. PeckShield said that, so far, some of the tokens had been swapped for 43.78 ETH ($91,000) and bridged to Ethereum.
vsdCRV, or vote-boosted sdCRV, is a yield-related derivative token tied to the Curve Finance ecosystem and used within Stake DAO.
Stake DAO said it was aware of the situation and urged users not to interact with vsdCRV.
The suspected root cause is a compromised Stake DAO deployer private key, the researchers said.
"The attacker appears to have obtained the deployer's private key and set an arbitrary peer for vsdCRV," BlockSec explained. "Using that peer, they forged a malicious message that triggered unconditional minting of ~5.44T vsdCRV to their address."
The exploit continues one of the worst periods for DeFi exploits, seemingly driven by advancements in artificial intelligence, with dozens of protocols hacked for more than $600 million since April, led by the $292 million exploit of Kelp DAO. On Tuesday, crypto security firm OpenZeppelin's Manuel Aráoz said that he considers "all of DeFi" unsafe, citing the asymmetry between attackers and defenders.
Sodot co-founder and CPO Shalev Keren told The Block that the Stake DAO exploit is structurally similar to the Wasabi incident last month and several other deployer-key compromises this year.
"The Stake DAO deployer key on Arbitrum was used to repoint the vsdCRV cross-chain bridge configuration to an attacker-controlled contract on Ethereum, and about twenty-five seconds later, that contract sent a LayerZero message back across, causing the legitimate Arbitrum token to mint over five trillion vsdCRV to the attacker, who is now dumping it for ETH," Keren said. "There is no smart-contract bug here, and no flaw in LayerZero, there is one private key, controlling one privileged configuration function, with no multisig and no delay between the configuration change going through and the mint clearing onchain."
Keren added that the incident highlights broader concerns around operational security and the concentration of privileged deployer permissions tied to audited DeFi protocols.
This is a developing story.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
