StakeDAO Attacker Mints 5.4T vsdCRV, Cashes Out Only $91K
In brief
- Attacker minted 5.4 trillion vsdCRV on Arbitrum via compromised StakeDAO deployer key.
- Minted tokens theoretically worth $763 billion but lacked meaningful liquidity.
- Realized proceeds totaled $91,000 after swapping and bridging 43.7 ETH to mainnet.
- Vulnerability stems from unprotected operational keys, not smart contract flaws.
The exploit mechanics
A single StakeDAO deployer key on Arbitrum had no multi-signature protection and no delay safeguards. The attacker used it to repoint the vsdCRV cross-chain bridge configuration to an attacker-controlled contract on Ethereum. About 25 seconds later, that contract sent a LayerZero message back to Arbitrum, triggering the legitimate token to mint over 5 trillion vsdCRV directly to the attacker's address.
The speed mattered. Without delays or governance checks, the entire attack chain executed in seconds.
Why the windfall evaporated
EmberCN estimated the 5.4 trillion vsdCRV at about $763 billion on paper, a staggering notional value. But markets don't work on paper. The attacker swapped about 16.83 million vsdCRV while the remaining tokens had little meaningful liquidity to exit. Most of the supply was untradeable.
PeckShield said the attacker bridged 43.7 ETH to Ethereum after converting what could be sold. That $91,000 haul represents the gap between theoretical and realized value in illiquid markets.
The real lesson: operational keys
Shalev Keren, chief product officer and co-founder of Sodot, framed the incident as structurally similar to the Wasabi incident last month, which drained about $5.5 million in crypto. Both exploited compromised deployer keys with no safeguards.
"There is no smart contract bug here and no flaw in LayerZero. There is one private key, controlling one privileged configuration function, with no multi-signature and no delay between the configuration change going through and the mint clearing onchain." — Shalev Keren, chief product officer and co-founder of Sodot
The vulnerability wasn't technical complexity. It was a single point of failure. Keren said the broader issue for DeFi protocols in 2026 is no longer only whether contracts are audited, but whether the operational keys behind those contracts remain single points of failure.
StakeDAO said it was aware of the incident and warned its users not to interact with vsdCRV. The protocol faces the harder work now: rebuilding trust in its key management infrastructure.
Frequently asked questions
How did the attacker mint 5.4 trillion vsdCRV tokens?
A compromised StakeDAO deployer key on Arbitrum was used to reconfigure the vsdCRV cross-chain bridge to point to an attacker-controlled contract on Ethereum. About 25 seconds later, that contract sent a LayerZero message back to Arbitrum, triggering the legitimate token to mint over 5 trillion vsdCRV to the attacker.
Why couldn't the attacker sell all 5.4 trillion vsdCRV tokens?
The vsdCRV token lacked meaningful liquidity on exchanges. Although the minted tokens were theoretically worth $763 billion on paper, the attacker could only swap about 16.83 million tokens before exhausting available buy-side depth, limiting realized proceeds to approximately $91,000.
Was this a smart contract bug?
No. Security experts confirmed there was no smart contract vulnerability or flaw in LayerZero. The exploit stemmed entirely from a single unprotected deployer key with no multi-signature requirement and no delay between configuration changes and token minting.
