{"id":29873,"date":"2026-05-27T13:17:23","date_gmt":"2026-05-27T13:17:23","guid":{"rendered":"https:\/\/bitunikey.com\/news\/defi-exploit-hits-stake-dao-as-attacker-swaps-vsdcrv-for-eth\/"},"modified":"2026-05-27T13:17:28","modified_gmt":"2026-05-27T13:17:28","slug":"defi-exploit-hits-stake-dao-as-attacker-swaps-vsdcrv-for-eth","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/defi-exploit-hits-stake-dao-as-attacker-swaps-vsdcrv-for-eth\/","title":{"rendered":"DeFi exploit hits Stake DAO as attacker swaps vsdCRV for ETH"},"content":{"rendered":"<div class=\"post-detail__content blocks\">\n<p><strong>Stake DAO is facing an ongoing exploit tied to its vsdCRV token on Arbitrum. Blockchain security firm Blockaid said an attacker minted more than 5.4 trillion vsdCRV and began swapping the tokens for ETH.<\/strong><\/p>\n<div id=\"cn-block-summary-block_722de7c77a5df653862134a86bf69cf9\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Stake DAO warned users not to interact with vsdCRV as the exploit remained active.<\/li>\n<li>Security researchers said an attacker minted about 5.4 trillion vsdCRV on Arbitrum before swapping funds.<\/li>\n<li>The suspected cause was a compromised deployer key used to alter LayerZero peer settings.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>Stake DAO confirmed it was aware of the situation and told users not to interact with vsdCRV. The project\u2019s warning came as researchers continued tracking the attacker\u2019s activity across Arbitrum and Ethereum.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">We are aware of the ongoing situation.<br \/>Please do not interact with vsdCRV. <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/3wZhMo52r6\">https:\/\/t.co\/3wZhMo52r6<\/a><\/p>\n<p>\u2014 Stake DAO (@StakeDAOHQ) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/StakeDAOHQ\/status\/2059586800255910039?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 27, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>vsdCRV, or vote-boosted sdCRV, is tied to the Curve Finance ecosystem and used within Stake DAO\u2019s yield products. The token became the center of the incident after the attacker allegedly gained enough control to mint a huge supply.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>PeckShield <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/PeckShieldAlert\/status\/2059578749352640679?s=20\" target=\"_blank\" rel=\"nofollow\">said<\/a> part of the minted funds had already been swapped for 43.78 ETH, worth about $91,000, and bridged to Ethereum. The incident remains a developing story, and final loss figures may change as more transactions are traced.<\/p>\n<figure class=\"wp-block-image size-large\"><figcaption class=\"wp-element-caption\">Source: PeckShield\/X<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\"><strong>Researchers point to deployer key compromise<\/strong><\/h2>\n<p>Blockaid said the suspected root cause was a compromised Stake DAO deployer private key. <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/blockaid_\/status\/2059573118927049152?s=20\" target=\"_blank\" rel=\"nofollow\">According<\/a> to the firm, the attacker used that access to reconfigure the LayerZero v2 OFT peer for the vsdCRV token contract.<\/p>\n<p>That change allegedly redirected trust from the legitimate Ethereum-side adapter to a malicious contract controlled by the attacker. The attacker then sent a forged cross-chain message that triggered the minting of roughly 5.44 trillion vsdCRV.<\/p>\n<p>BlockSec described the attack as a case where the attacker appeared to obtain the deployer\u2019s private key and set an arbitrary peer for vsdCRV. The firm said the forged message then caused unconditional minting to the attacker\u2019s address.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">.<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/StakeDAOHQ?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">@StakeDAOHQ<\/a> was reportedly exploited via a deployer key compromise, resulting in ~5.44T <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24vsdCRV&amp;src=ctag&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">$vsdCRV<\/a> minted to the attacker. The attacker appears to have obtained the deployer\u2019s private key and set an arbitrary peer for <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/search?q=%24vsdCRV&amp;src=ctag&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">$vsdCRV<\/a>. Using that peer, they forged a malicious message that\u2026<\/p>\n<p>\u2014 BlockSec Phalcon (@Phalcon_xyz) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/Phalcon_xyz\/status\/2059582384849506454?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 27, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>The incident shows how privileged access remains a major risk in DeFi. Even when smart contract code works as designed, a compromised deployer key can give attackers the ability to change trusted settings and trigger losses.<\/p>\n<h2 class=\"wp-block-heading\"><strong>DeFi security concerns deepen<\/strong><\/h2>\n<p>The Stake DAO exploit follows a series of recent DeFi incidents. As previously reported by crypto.news, OpenZeppelin co-founder Manuel Ar\u00e1oz said he now considers \u201call of DeFi\u201d unsafe and has advised friends and family to exit DeFi positions.<\/p>\n<p>Ar\u00e1oz argued that coding agents are becoming strong tools for finding vulnerabilities, while defenders still need to fix every weakness before attackers find one. His comments came as DeFi protocols lost about $629.7 million to hacks in April.<\/p>\n<p>Separately,\u00a0 Wasabi Protocol lost more than $5 million across Ethereum, Base, Berachain, and Blast after a compromised admin key allowed attackers to upgrade contracts and drain funds.<\/p>\n<p>That case resembles the current Stake DAO concern because both incidents involved privileged key access rather than a simple market manipulation event. Wasabi also warned users not to interact with its contracts while the team investigated.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Cross-chain risks remain in focus<\/strong><\/h2>\n<p>The Stake DAO incident also points back to cross-chain token risks. Security reports have tracked repeated attacks involving bridges, peer settings, and message validation across chains in 2026.<\/p>\n<p>BlockSec\u2019s May security roundup <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blocksec.com\/blog\/weekly-web3-security-roundup-2026-05-10\" target=\"_blank\" rel=\"nofollow\">listed<\/a> multiple incidents across Ethereum, Sui, BNB Chain, Base, Blast, and Berachain, with total losses of about $15.9 million over a two-week period. Its blog also identified Wasabi as a key-compromise case.<\/p>\n<p>In April, Kelp DAO suffered one of the year\u2019s largest DeFi exploits after attackers drained about $292 million from a LayerZero-powered bridge. The breach raised concerns about cross-chain asset backing across more than 20 networks.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stake DAO is facing an ongoing exploit tied to its vsdCRV token on Arbitrum. Blockchain security firm Blockaid said an attacker minted more than 5.4 trillion vsdCRV and began swapping&hellip;<\/p>\n","protected":false},"author":1,"featured_media":29669,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-29873","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=29873"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29873\/revisions"}],"predecessor-version":[{"id":29874,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29873\/revisions\/29874"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/29669"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=29873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=29873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=29873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}