StakeDAO Deployer Key Leak on Arbitrum Leads to 5.45 Trillion vsdCRV Mint
Security firms said the exploit appears tied to a compromised deployer key that let an attacker reconfigure cross-chain messaging, mint trillions of vsdCRV on Arbitrum, and swap part of it for ETH.
Stake DAO is facing an ongoing exploit involving its vsdCRV token on Arbitrum, with security firms reporting that an attacker minted more than 5.4 trillion tokens and swapped some of them for 43.78 ETH, worth about $91,000, before bridging funds to Ethereum. According to BlockSec, the suspected root cause is a compromised Stake DAO deployer private key that was used to set an arbitrary peer for vsdCRV and forge a malicious cross-chain message, triggering unconditional minting of about 5.44 trillion vsdCRV to the attacker’s address. Stake DAO said it is aware of the incident and urged users not to interact with vsdCRV. The Block also cited Sodot co-founder Shalev Keren, who said the exploit was structurally similar to other deployer-key compromises and involved changing the vsdCRV cross-chain bridge configuration on Arbitrum to an attacker-controlled contract on Ethereum before a LayerZero message triggered the mint.
- Arbitrum: An Ethereum layer-2 network designed to process transactions more cheaply and quickly than the main Ethereum blockchain.
- vsdCRV: Vote-boosted sdCRV is a yield-related derivative token tied to the Curve Finance ecosystem and used within Stake DAO.
- LayerZero: A cross-chain messaging protocol that lets applications send messages between blockchains; in this case, it was cited as part of the exploit path rather than the source of the flaw.