Stake DAO, a DeFi platform focused on automated yield strategies, is experiencing an ongoing exploit after an attacker minted over 5.4 trillion vsdCRV tokens on Arbitrum and actively swapped them for ETH, multiple blockchain security firms reported on Wednesday. The suspected root cause is a compromised Stake DAO deployer private key that allowed the attacker to manipulate the vsdCRV cross-chain bridge configuration. This incident adds to a surge in DeFi exploits since April, with more than $600 million stolen across dozens of protocols, including Kelp DAO's $292 million exploit, as advancements in artificial intelligence appear to be driving increased attack sophistication.
Technical Details of the Exploit
The attacker minted over 5.4 trillion vsdCRV on Arbitrum and is actively swapping it for ETH, according to Blockaid. PeckShield reported that 43.78 ETH ($91,000) worth of tokens had been swapped and bridged to Ethereum. vsdCRV, or vote-boosted sdCRV, is a yield-related derivative token tied to the Curve Finance ecosystem and used within Stake DAO.
BlockSec explained that the attacker appears to have obtained the deployer's private key and set an arbitrary peer for vsdCRV. "Using that peer, they forged a malicious message that triggered unconditional minting of ~5.44T vsdCRV to their address," BlockSec stated.
Sodot co-founder and CPO Shalev Keren told The Block that "the Stake DAO deployer key on Arbitrum was used to repoint the vsdCRV cross-chain bridge configuration to an attacker-controlled contract on Ethereum, and about twenty-five seconds later, that contract sent a LayerZero message back across, causing the legitimate Arbitrum token to mint over five trillion vsdCRV to the attacker, who is now dumping it for ETH." Keren clarified that "there is no smart-contract bug here, and no flaw in LayerZero, there is one private key, controlling one privileged configuration function, with no multisig and no delay between the configuration change going through and the mint clearing onchain."
Official Response
Stake DAO said it was aware of the situation and urged users not to interact with vsdCRV.
Security Analysis
Shalev Keren told The Block that the Stake DAO exploit is structurally similar to the Wasabi incident last month and several other deployer-key compromises this year. Keren added that the incident highlights broader concerns around operational security and the concentration of privileged deployer permissions tied to audited DeFi protocols.
On Tuesday, crypto security firm OpenZeppelin's Manuel Aráoz said that he considers "all of DeFi" unsafe, citing the asymmetry between attackers and defenders.
Broader Context
The exploit continues one of the worst periods for DeFi exploits, seemingly driven by advancements in artificial intelligence, with dozens of protocols hacked for more than $600 million since April, led by the $292 million exploit of Kelp DAO.
This is a developing story.
