Contact us
Contact us

News

About

Home Crypto News Stake DAO Arbitrum key breach mints 5.4T fake vsdCRV

Stake DAO Arbitrum key breach mints 5.4T fake vsdCRV

Author Stacey Carnaval
Posted: 27 May 2026, 12:51 CET | Updated: 27 May 2026, 14:13 CET 2 min read
Stake DAO Arbitrum key breach mints 5.4T fake vsdCRV

A compromised Stake DAO deployer key on Arbitrum let an attacker mint about 5.4 trillion vsdCRV and swap them for ETH via a public router.

On May 27, a compromised Stake DAO deployer key on Arbitrum allowed an attacker to mint roughly 5.4 trillion Vote-Boosted sdCRV (vsdCRV) tokens and convert them to ether through a public router.

On-chain monitoring services traced the activity to the deployer wallet. The attacker used the privileged key to reset the LayerZero v2 bridge peer setting for vsdCRV and then issued a forged cross-chain message. About 25 seconds later the bridge accepted the message and minted the tokens on Arbitrum.

The attacker routed the newly minted vsdCRV through MetaMask’s public router and swapped the tokens for ETH. Security reviewers reported no vulnerability in the vsdCRV smart contracts; the incident arose from the compromised private key that had permission to change bridge peer configuration and trigger mints.

The Stake DAO incident follows several recent cases where operational key compromises, rather than code bugs, enabled large losses. In April a compromised deployer wallet extracted about $4.5 million from a multi-chain protocol. The same month a private key compromise led to a $285 million loss on Solana’s Drift Protocol. A later bridge incident prompted protocol freezes after an exploit of roughly $292 million, and earlier this year an $80 million unauthorized mint was traced to misuse of privileged keys.

Shalev Keren, co-founder of Sodot, warned: “The question DeFi has to answer in 2026 is no longer whether protocols get audited, because almost all of them do. It is whether the small set of operational keys behind those audited contracts are still allowed to live as a single object on a single laptop.”

Developers and operators are being urged to separate high-privilege keys from daily operational assets and to add multisignature approvals, time-locks on administrative actions, and hardware or dedicated key-management services to reduce single points of failure.

Stake DAO and on-chain monitors continue to analyze transaction traces to identify the final ETH destination and assess any remaining exposure.

Tags
Security
Stacey Carnaval
Author

Articles by this author

Bankless Cofounder Sells All ETH, Still Bullish on Ethereum
Bankless Cofounder Sells All ETH, Still Bullish on Ethereum
7 hours ago
Ondo Finance founder Nathan Allman dies at 32; Ian De Bode named CEO
Ondo Finance founder Nathan Allman dies at 32; Ian De Bode named CEO
1 day ago
Humanity vs. AI: What actually drives crypto partnerships today
Humanity vs. AI: What actually drives crypto partnerships today
5 days ago
Binance’s CZ urges key rotation after GitHub breach
Binance’s CZ urges key rotation after GitHub breach
may 20
SpaceX Receives First NVIDIA Vera CPUs; Musk Praises Chip
SpaceX Receives First NVIDIA Vera CPUs; Musk Praises Chip
may 19

Latest News

MORE
Schiff Warns Saylor on STRC Liquidity Ahead of June 8 Vote

Schiff Warns Saylor on STRC Liquidity Ahead of June 8 Vote

2 hours ago 2 min read
OpenZeppelin co-founder warns AI agents make all DeFi unsafe

OpenZeppelin co-founder warns AI agents make all DeFi unsafe

3 hours ago 2 min read
Bankless Cofounder Sells All ETH, Still Bullish on Ethereum

Bankless Cofounder Sells All ETH, Still Bullish on Ethereum

7 hours ago 2 min read
Trump backs CFTC control of prediction markets, slams four

Trump backs CFTC control of prediction markets, slams four

8 hours ago 2 min read
MORE