Stake DAO, a non-custodial DeFi platform focused on automated yield strategies and governance token liquid lockers, is facing an ongoing exploit after an attacker minted over 5.4 trillion vsdCRV tokens on Arbitrum.
Blockchain security firm Blockaid was the first to flag the attack publicly, posting on X that it had detected an ongoing exploit targeting Stake DAO on Arbitrum. “The attacker just minted over 5.4 trillion vsdCRV and is actively swapping it for ETH,” Blockaid wrote.
PeckShield confirmed independently that 5.4 trillion vsdCRV had been minted on Arbitrum, with the exploiter swapping part of the tokens for 43.781 ETH ($91,170) and bridging the proceeds to Ethereum at address 0xeF3C…aa25.
Stake DAO acknowledged the situation shortly after, posting: “We are aware of the ongoing situation. Please do not interact with vsdCRV.”
How the Attack Worked
Blockaid provided a detailed breakdown of the attack mechanics. The Stake DAO deployer private key (0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62) was compromised. The attacker used it to reconfigure the LayerZero v2 OFT peer on the vsdCRV (Vote Boosted sdCRV) token contract, redirecting trust from the legitimate Ethereum-side vsdCRVOFTAdapter to an attacker-deployed malicious contract.
The attacker then sent a forged cross-chain message that triggered unconditional minting of 5,446,744,073,709 vsdCRV—approximately 5.4 trillion tokens—to their address.
BlockSec’s Phalcon team corroborated: “The attacker appears to have obtained the deployer’s private key and set an arbitrary peer for vsdCRV. Using that peer, they forged a malicious message that triggered unconditional minting of ~5.44T vsdCRV to their address.”
Blockaid listed the key onchain evidence including the malicious peer deployment on Ethereum, the cross-chain mint transaction, the setPeer call on Arbitrum before the mint, and the final mint transaction on Arbitrum.
$763 Billion in Nominal Value, $91,000 in Actual Extraction
The exploit is notable for the enormous gap between nominal token value and realizable proceeds.
Onchain analyst EmberCN pointed out that the 5.4 trillion vsdCRV carried a nominal value of approximately $763 billion — but vsdCRV has extremely poor liquidity, with pools worth only tens of thousands of dollars. The attacker managed to swap approximately 16.83 million vsdCRV (nominal value ~$2.35 million) for 43.7 ETH ($91,000) across multiple DEX markets including Curve and KyberSwap.
Onchain transaction data shows the attacker systematically worked through available liquidity: exchanging batches of ~963,820 vsdCRV on Curve for CRV tokens, then swapping further batches on KyberSwap for ETH, before exhausting available pools entirely. The remaining trillions of tokens have no liquidity left to exit into.
EmberCN drew a comparison to the Echo Protocol exploit one week earlier, where the attacker stole 1,000 eBTC ($76.45 million nominal) but could only extract $860,000 due to identical liquidity constraints.
Another Deployer Key Compromise in 2026
The Stake DAO exploit fits a pattern that has defined 2026’s worst security incidents. Private key compromises — not smart contract code bugs — have driven the year’s costliest exploits.
The $292 million Kelp DAO breach in April involved a forged cross-chain message through LayerZero infrastructure. The $10.4 million StablR exploit last week was caused by a single compromised key in a 1-of-3 multisig. The Drift Protocol’s $285 million loss on April 1 traced back to a six-month social engineering campaign by North Korean state-sponsored hackers targeting team members.
The timing is also striking. Just one day before the Stake DAO exploit, OpenZeppelin co-founder Manuel Aráoz posted that he now considers “all of DeFi” unsafe, citing the asymmetry between attackers and defenders. “Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric: defenders need to fix every bug while attackers need just one exploit to steal funds,” Aráoz wrote. He said he had advised friends and family to exit DeFi entirely, including blue-chip protocols like Aave, MakerDAO, and Compound.
April 2026 was already the worst month for crypto hacks by incident count in history, with over $600 million lost across a dozen protocols. May has continued the trend with exploits hitting THORChain, Verus Bridge, Echo Protocol, StablR, and now Stake DAO.
Stake DAO has not yet provided a full post-mortem or announced a recovery plan at the time of publication. The exploit appears to be ongoing.
