Stake DAO faces an exploit on Arbitrum that is tied to the vsdCRV Token. Blockaid, a blockchain security company, said that an attacker created more than 5.4 billion vsdCRV tokens and started trading them for ETH.
The following is a summary of the information that you will find on this page.
- Stake DAO warns users against interacting with the exploit as it remains active.
- According to security researchers, an attacker created 5.4 trillion VsdCRV (vsdCRV) on Arbitrum prior to swapping funds.
- A compromised deployer-key was used to modify LayerZero peers settings.
Stake DAO has confirmed that it is aware of this situation, and warned users to avoid interacting with vsdCRV. As researchers tracked the attackers’ activity on Ethereum and Arbitrum, Stake DAO issued a warning.
The vsdCRV (or vote-boosted SdCRV) is linked to the Curve Finance eco system and is used in Stake DAO yield products. It was this token that became the focal point of the incident, after an attacker had allegedly gained sufficient control to produce a massive supply.
PeckShield said A part of the coined money had been traded for 43.78 Ethereum (ETH), worth approximately $91,000. The bridge to Ethereum was already in place. This is a developing incident, so final figures could change as additional transactions are traced.
Researchers reveal deployer-key compromise
Blockaid believes the Stake DAO private key was compromised. According The attacker used this access to configure the LayerZero OFT peer to use the vsdCRV contract token.
The attacker allegedly used this change to redirect trust from a legitimate Ethereum-side contract, which was controlled by him. The attacker sent a forgery of a cross-chain message which triggered the creation of approximately 5.44 trillion VsdCRV.
BlockSec described it as an attack whereby the attacker appears to have obtained the deployer’s private key, and then set a random peer for vsdCRV. According to BlockSec, the fake message caused minting of the attacker’s account.
This incident highlights how DeFi is still vulnerable to privileged access. Even when the code for smart contracts works according to design, a compromised deploier key gives attackers access to trusted settings that can trigger loss.
DeFi security concerns deepen
Stake DAO is the latest in a string of DeFi attacks. As described previously reported by crypto.news, OpenZeppelin co-founder Manuel Aráoz said he now considers “all of DeFi” Unsafe and have advised family and friends to leave DeFi positions.
Aráoz argued that coding agents are becoming strong tools for finding vulnerabilities, while defenders still need to fix every weakness before attackers find one. In April, DeFi protocols were hacked for about $629.7 Million.
Separately, Wasabi Protocol lost more than $5 million After a compromised Admin key enabled attackers to upgrade and drain funds from Ethereum, Base and Blast.
This case is similar to the Stake DAO issue because it involved key privilege access, not a simple event of market manipulation. Wasabi advised users to refrain from interacting with contracts during the investigation.
Cross-chain risks remain in focus
Stake DAO also highlights the risks of tokens being used across chains. The security reports show that in 2026 there were repeated attacks on chains involving peer settings, bridges and message validity.
BlockSec May’s security round-up listed There were multiple incidents in Ethereum, Sui BNB Chain Base Blast Berachain and Berachain with a total of $15.9 Million over two weeks. Wasabi was also named as a case of key compromise in its blog.
Kelp DAO will be in action from April to May. suffered One of the largest DeFi attacks this year, after hackers drained $292,000,000 from a LayerZero powered bridge. This breach has raised questions about the cross-chain backing of assets across 20 different networks.
“This article is not financial advice.”
“Always do your own research before making any type of investment.”
“ItsDailyCrypto is not responsible for any activities you perform outside ItsDailyCrypto.”
Source: crypto.news
