StakeDAO Exploit: 5.4 Trillion vsdCRV Minted via Compromised Private Key
Severity: High (Score: 68.0)
Sources: Theblock.Co, Thedefiant, Cryptobriefing, www.chaincatcher.com, Weex
Published: · Updated:
Keywords: stake, vsdcrv, security, incident, advises, platform, responds
Severity indicators: pla, ot
Summary
On May 27, 2026, a hacker exploited StakeDAO by compromising its deployer private key, minting over 5.4 trillion vsdCRV tokens on Arbitrum. The attacker swapped a portion of these tokens for approximately $91,000 worth of ETH. StakeDAO, a DeFi protocol, has advised users to cease interactions with vsdCRV immediately. The exploit leveraged a manipulated cross-chain messaging system, allowing the attacker to issue mint commands by replacing the legitimate authorized address. This incident is part of a troubling trend in DeFi exploits, with significant financial losses reported across multiple protocols. StakeDAO's governance token, SDT, saw a 6.6% drop in value following the incident. The exploit's impact extended to Curve Finance, prompting warnings for users with deposits in affected markets. The situation remains ongoing as StakeDAO works on remediation. Key Points: • A hacker minted 5.4 trillion vsdCRV tokens after compromising StakeDAO's deployer key. • The exploit allowed the attacker to swap some tokens for approximately $91,000 in ETH. • StakeDAO has advised users to stop interacting with vsdCRV due to the ongoing exploit.
Detailed Analysis
**Impact** StakeDAO, a DeFi protocol with $131 million in total value locked, was exploited when an attacker minted 5.4 trillion vsdCRV tokens on Arbitrum. Approximately $91,000 worth of these tokens were swapped for ETH before liquidity dried up. The incident affected users interacting with vsdCRV, destabilized Curve Finance’s lending market on Arbitrum, and forced Beefy Finance to pause an impacted vault. The SDT governance token price dropped 6.6% with a 400% spike in trading volume following the exploit. **Technical Details** The attacker compromised StakeDAO’s deployer private key to replace the authorized peer address in the LayerZero v2 OFT cross-chain token contract for vsdCRV. This allowed forging of trusted cross-chain mint instructions, resulting in an unbacked mint of 5.4 trillion tokens. No smart contract bugs or LayerZero protocol flaws were exploited; the attack leveraged privileged deployer permissions without multisig or delay controls. The attacker converted a portion of tokens into 43.78 ETH and bridged the proceeds to Ethereum address 0xeF3C...aa25. **Recommended Response** StakeDAO and associated protocols should immediately rotate and secure all deployer private keys controlling privileged configurations, implement multisig and time delays on critical contract functions, and pause affected contracts. Users must be advised to cease all interactions with vsdCRV tokens until remediation is complete. Monitoring for unauthorized peer configuration changes and suspicious mint transactions on LayerZero OFT contracts is critical. No patches are currently available; operational security and key management must be prioritized.
Source articles (7)
- Security researchers flag ongoing Stake DAO exploit after attacker mints trillions of vsdCRV — Theblock.Co · 2026-05-27
Stake DAO, a DeFi platform focused on automated yield strategies, is facing an ongoing exploit, multiple blockchain security firms reported on Wednesday. The attacker minted over 5.4 trillion vsdCRV o… - Stake DAO faces ongoing exploit as attacker mints 5.4T vsdCRV on Arbitrum — Cryptobriefing · 2026-05-27
The attacker was unable to realize meaningful profits due to vsdCRV's extremely thin liquidity. Stake DAO, a non-custodial liquid staking platform, became the target of a major exploit on Arbitrum aft… - Stake DAO responds to security incident, advises against interacting with vsdCRV for now — Bitget · 2026-05-27
ChainCatcher reported that Stake DAO responded to the security incident on the X platform, stating that its team is aware of the event and advises users not to interact with vsdCRV for now. In additio… - Stake DAO responds to the security incident: Do not interact with vsdCRV at this time — Weex · 2026-05-27
Stake DAO posted on platform X in response to the security incident, stating that its team is aware of the current security event and advises against interacting with vsdCRV. Previously, an anomaly oc… - Stake DAO exploited via compromised key, attack... | Pluang – Crypto, Stocks, Gold & Funds — Pluang · 2026-05-27
Stake DAO is facing an active exploit on the Arbitrum network after an attacker used a compromised deployer key to mint 5.4 trillion vsdCRV tokens, a wrapped governance token. These tokens are being s… - Hacker Mints 5.4 Trillion Tokens in StakeDAO Exploit, Nets $91K — Thedefiant · 2026-05-27
A hacker compromised StakeDAO's deployer private key on Wednesday, minting 5.4 trillion vsdCRV tokens on Arbitrum and swapping a portion for roughly $91,000 worth of ETH, an attack that rippled into C… - Chaincatcher — www.chaincatcher.com · 2026-05-27
Timeline
- 2026-05-27 — StakeDAO exploit confirmed: A hacker compromised StakeDAO's deployer private key, minting over 5.4 trillion vsdCRV tokens.
- 2026-05-27 — User warnings issued: StakeDAO warned users to stop interacting with vsdCRV due to the exploit.
- 2026-05-27 — ETH conversion reported: The attacker converted part of the minted tokens into 43.78 ETH, worth around $91,000.
- 2026-05-27 — StakeDAO governance token drops: Following the exploit, StakeDAO's SDT token fell approximately 6.6% in value.
Related entities
- Data Breach (Attack Type)
- Beefy Finance (Company)
- Stake DAO (Company)
- StakeDAO (Company)
- Arbitrum (Company)
- Ethereum (Company)
- Curve Finance (Platform)
- LayerZero (Platform)
- Cwe-190 - Integer Overflow Or Wraparound (Cwe)
- CWE-287 - Improper Authentication (Cwe)
- Finance (Industry)
- T1552.004 - Private Keys (Mitre Attack)