An attacker minted more than 5.4 trillion vsdCRV on Arbitrum after a suspected compromise of a StakeDAO-linked deployer key, though thin liquidity limited the realized proceeds to about $91,000.
Blockchain security firm PeckShield said Wednesday the attacker swapped part of the minted vsdCRV for 43.7 Ether (ETH), worth about $91,000, and bridged the funds to Ethereum. Onchain analyst EmberCN said the attacker swapped about 16.83 million vsdCRV, while the remaining tokens had little meaningful liquidity to exit.
EmberCN estimated the 5.4 trillion vsdCRV at about $763 billion on paper, though the figure does not represent the attacker’s realized profit or the protocol’s confirmed loss.
The incident highlights the gap between nominal token values and extractable value in decentralized finance exploits, where attackers can mint enormous token amounts but only cash out what available liquidity allows. In this case, the attacker’s proceeds were limited by the small size of vsdCRV liquidity pools.
StakeDAO said it was aware of the incident and warned its users not to interact with vsdCRV.
Stake DAO said it was aware of the incident. Source: Stake DAO
Incident points to a deployer-key compromise
Shalev Keren, chief product officer and co-founder of crypto key-management firm Sodot, told Cointelegraph that the StakeDAO incident was “structurally similar” to other deployer-key compromises seen this year, including the Wasabi incident last month, which drained about $5.5 million in crypto.
Keren said a single StakeDAO deployer key on Arbitrum was used to repoint the vsdCRV cross-chain bridge configuration to an attacker-controlled contract on Ethereum. About 25 seconds later, that contract sent a LayerZero message back to Arbitrum, causing the legitimate Arbitrum token to mint more than 5 trillion vsdCRV to the attacker.
“There is no smart contract bug here and no flaw in LayerZero,” Keren said. “There is one private key, controlling one privileged configuration function, with no multi-signature and no delay between the configuration change going through and the mint clearing onchain.”
Keren said the broader issue for DeFi protocols in 2026 is no longer only whether contracts are audited, but whether the operational keys behind those contracts remain single points of failure.