Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    After Securing MiCA License, OKX Says Banking License Is Not a Priority
    After Securing MiCA License, OKX Says Banking License Is Not a Priority
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    Michael Saylor’s Strategy
    Why Michael Saylor’s Strategy Is Selling Bitcoin After Years of Buying
    Anthropic’s Claude Fable 5 Crypto Hacks
    Anthropic’s Claude Fable 5: The AI That Could Supercharge Crypto Hacks and Defenses
    CLARITY Act Stalls Why Senate's August Recess Puts US Crypto Rules at Risk
    CLARITY Act Stalls: Why Senate’s August Recess Puts US Crypto Rules at Risk
  • Opinion
    OpinionShow More
    The Bitcoin Treasury Blueprint What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    The Bitcoin Treasury Blueprint: What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
DeFi News

Stake DAO Exploited as Hacker Mints 5.4 Trillion Fake vsdCRV

Blockchain security firms flagged the ongoing exploit on Arbitrum — but thin DEX liquidity limited actual extraction to roughly $91,000.

Written By Dhara Chavda
Published 2026-05-27·Updated 2 months ago
Make The Crypto Times preferred on GoogleGoogle
Share
Stake DAO Exploited as Hacker Mints 5.4 Trillion Fake vsdCRV
Show AI Summary
Stake DAO faces ongoing exploit consequences, with over 5 trillion vsdCRV tokens minted
Due to extremely thin DEX liquidity, the attacker could only swap approximately 16.83 million vsdCRV for 43.78 ETH (~$91,000)
Stake DAO acknowledged the incident and warned users not to interact with vsdCRV

Stake DAO, a non-custodial DeFi platform focused on automated yield strategies and governance token liquid lockers, is facing an ongoing exploit after an attacker minted over 5.4 trillion vsdCRV tokens on Arbitrum.

Blockchain security firm Blockaid was the first to flag the attack publicly, posting on X that it had detected an ongoing exploit targeting Stake DAO on Arbitrum. “The attacker just minted over 5.4 trillion vsdCRV and is actively swapping it for ETH,” Blockaid wrote.

PeckShield confirmed independently that 5.4 trillion vsdCRV had been minted on Arbitrum, with the exploiter swapping part of the tokens for 43.781 ETH ($91,170) and bridging the proceeds to Ethereum at address 0xeF3C…aa25.

Stake DAO acknowledged the situation shortly after, posting: “We are aware of the ongoing situation. Please do not interact with vsdCRV.”

We are aware of the ongoing situation.
Please do not interact with vsdCRV. https://t.co/3wZhMo52r6

— Stake DAO (@StakeDAOHQ) May 27, 2026

How the Attack Worked

Blockaid provided a detailed breakdown of the attack mechanics. The Stake DAO deployer private key (0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62) was compromised. The attacker used it to reconfigure the LayerZero v2 OFT peer on the vsdCRV (Vote Boosted sdCRV) token contract, redirecting trust from the legitimate Ethereum-side vsdCRVOFTAdapter to an attacker-deployed malicious contract.

The attacker then sent a forged cross-chain message that triggered unconditional minting of 5,446,744,073,709 vsdCRV—approximately 5.4 trillion tokens—to their address.

BlockSec’s Phalcon team corroborated: “The attacker appears to have obtained the deployer’s private key and set an arbitrary peer for vsdCRV. Using that peer, they forged a malicious message that triggered unconditional minting of ~5.44T vsdCRV to their address.”

Blockaid listed the key onchain evidence including the malicious peer deployment on Ethereum, the cross-chain mint transaction, the setPeer call on Arbitrum before the mint, and the final mint transaction on Arbitrum.

$763 Billion in Nominal Value, $91,000 in Actual Extraction

The exploit is notable for the enormous gap between nominal token value and realizable proceeds.

Onchain analyst EmberCN pointed out that the 5.4 trillion vsdCRV carried a nominal value of approximately $763 billion — but vsdCRV has extremely poor liquidity, with pools worth only tens of thousands of dollars. The attacker managed to swap approximately 16.83 million vsdCRV (nominal value ~$2.35 million) for 43.7 ETH ($91,000) across multiple DEX markets including Curve and KyberSwap.

Onchain transaction data shows the attacker systematically worked through available liquidity: exchanging batches of ~963,820 vsdCRV on Curve for CRV tokens, then swapping further batches on KyberSwap for ETH, before exhausting available pools entirely. The remaining trillions of tokens have no liquidity left to exit into.

EmberCN drew a comparison to the Echo Protocol exploit one week earlier, where the attacker stole 1,000 eBTC ($76.45 million nominal) but could only extract $860,000 due to identical liquidity constraints.

Another Deployer Key Compromise in 2026

The Stake DAO exploit fits a pattern that has defined 2026’s worst security incidents. Private key compromises — not smart contract code bugs — have driven the year’s costliest exploits.

The $292 million Kelp DAO breach in April involved a forged cross-chain message through LayerZero infrastructure. The $10.4 million StablR exploit last week was caused by a single compromised key in a 1-of-3 multisig. The Drift Protocol’s $285 million loss on April 1 traced back to a six-month social engineering campaign by North Korean state-sponsored hackers targeting team members.

The timing is also striking. Just one day before the Stake DAO exploit, OpenZeppelin co-founder Manuel Aráoz posted that he now considers “all of DeFi” unsafe, citing the asymmetry between attackers and defenders. “Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric: defenders need to fix every bug while attackers need just one exploit to steal funds,” Aráoz wrote. He said he had advised friends and family to exit DeFi entirely, including blue-chip protocols like Aave, MakerDAO, and Compound.

April 2026 was already the worst month for crypto hacks by incident count in history, with over $600 million lost across a dozen protocols. May has continued the trend with exploits hitting THORChain, Verus Bridge, Echo Protocol, StablR, and now Stake DAO.

Stake DAO has not yet provided a full post-mortem or announced a recovery plan at the time of publication. The exploit appears to be ongoing.

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News

TAGGED:Crypto Hack
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

Crypto Market Braces for US CPI and PPI Data as Fed Outlook Looms
Crypto Market Braces for US CPI and PPI Data as Fed Outlook Looms
Senator Hagerty Says CLARITY Act Has Momentum to Pass Soon
Senator Hagerty Says CLARITY Act Has Momentum to Pass Soon
Aave Picks Chainlink CCIP to Power Upcoming Multi-Chain App
Aave Picks Chainlink CCIP to Power Upcoming Multi-Chain App
JIP-38 Approved: Jito to Use JTX Revenue for JTO Buybacks
JIP-38 Approved: Jito to Use JTX Revenue for JTO Buybacks
After Securing MiCA License, OKX Says Banking License Is Not a Priority
After Securing MiCA License, OKX Says Banking License Is Not a Priority

Find Us on Socials

You may also like

BonkDAO Updates Community After $20M Treasury Governance Incident

BonkDAO Updates Community After $20M Treasury Governance Incident

PHX-WBNB Liquidity Pool Drained of Nearly $90K in BNB Chain Exploit

PHX-WBNB Liquidity Pool Drained of Nearly $90K in BNB Chain Exploit

Crypto Loses $35M in a Week BonkDAO, Bonzo Lend, Summer.fi Hacked

Crypto Loses $35M in a Week: BonkDAO, Bonzo Lend, Summer.fi Hacked

Hedera's Biggest DeFi Lender Bonzo Lend Hacked for $9M, $5.25M Bridged to Ethereum

Hedera’s Biggest DeFi Lender Bonzo Lend Hacked for $9M, $5.25M Bridged to Ethereum

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information