News
27 May 2026, 17:48
Massive VsDcrv Exploited on Arbitrum: Vulnerability Derives Cross Chain Attack

A critical exploit of StakeDAO on Arbitrum, highlighted by blockchain security firm Blockaid , recently sent a shockwave of concern through the decentralized finance ecosystem. An alarming thing appears in the public line at first that an assailant has created a record number of tokens (over 5.4 trillion vsdCRV) and starts to swap them for ETH, showing a well-operated attack progress. As detailed in Blockaid’s roguelike and official alert, this exploit is happening in real-time as protocols and users hurry to react. The level of the minting event is big and fast enough that anyone who knows a thing will sound the red alert: you simply cannot have so much coin emissions going at this rate unless it is tied to real protocol activity which it certainly was not. Security analysts pointed out that this exploit is a textbook case of how quickly cross-chain issues can spiral into systemic problems, especially when access control protocols with elevated privileges are compromised. Blockaid detected an ongoing exploit targeting @StakeDAOHQ on Arbitrum. The attacker just minted over 5.4 trillion vsdCRV and is actively swapping it for ETH. More details in — Blockaid (@blockaid_) May 27, 2026 Root Cause: Compromised Private Key Found Early investigations suggest that the hacked private key was mainly the reason for the breach. In particular, the StakeDAO deployer private key (0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62) seems to be leaked and thus giving the attacker full control over important contract settings. With this control, the attacker reassigned the LayerZero v2 OFT (Omnichain Fungible Token) peer associated with the vsdCRV token contract. The above manipulation successfully transfers trust from the correct vsdCRVOFTAdapter deployed on Ethereum-side to a malicious contract created by the attacker. Once the attacker had secured control, they generated a cross-chain message that allowed minting of nearly 5,446,744,073,709 fictitious vsdCRV tokens, enough to destabilize markets connected and all downstream protocols utilizing it. The case underscores an enduring DeFi flaw: projects depending on the security of private keys to manage high-privilege contract permissions. Once adrolled, the attackers can bypass conventional defense mechanisms and act almost unhindered. Market Impact Spreads As Tokens Are Swapped For ETH After the mint, the malicious actor immediately swapped these dirty tokens for ETH. However, this quick liquidation indicates a desire to maximize value extraction before mitigation strategies would be enacted. This sudden introduction of newly-minted tokens skews the market dynamics as soon as imaginable. Given vsdCRV is directly connected to and leveraged throughout the rest of the Curve/Convex ecosystems, this exploit will have effects that go far beyond just StakeDAO. This notable volatility now hits liquidity pools, lending platforms and yield vaults based on vsdCRV or its derivatives. This sudden disruption to the supply-demand balance calls into question pricing, collateral validity and risk of liquidation cascades. Traders are closely watching on-chain activity because more swaps or bridging will only increase the harm. Beefy Finance Limits Exposure To this Incidence, Beefy Finance responded quickly and took the necessary measures to protect users. The protocol said its Arbitrum Convex CRV/csdCRV/asdCRV vault was compromised, and is now paused. All necessary protective measures have been deployed as detailed. It is now working with StakeDAO, Curve and Convex to assess the extent of the impact and possible remediation steps. Pausing the vault not only protects user funds from being exploited, but is also aligned with industry best practices during such events. By suspending liquidity, the likelihood of additional losses due to virtual currency price manipulation or illiquid capital is minimized. This coordinated response highlights the interdependence of different DeFi protocols; a single flaw can cause damage across multiple platforms in just hours. Important Notice from Curve — LlamaLend Users In response to growing trenches, Curve Finance released a preventive warning for users of its LlamaLend market on Arbitrum. They asked to exit their position as a precaution for those with deposits or loans composed of asdCRV. The team stated in its public message through Curve Finance’s alert that the market is stable for now but added that owing to the vsdCRV exploit, its price oracle is at risk of becoming unreliable. Forced liquidation, that is the major threat oracle instability could pose. If the oracle prices are not overwriting wrong prices, liquidations could occur without real price decreases in place. This warning from Curve outlines a crucial subplot of DeFi exploits: collateral vulnerabilities. Implicitly, even protocols that have not been directly attacked could be disrupted by attacking their data inputs which would cause unintended consequences for a user. If you have deposits or loans in asdCRV LlamaLend market on Arbitrum – please exist ASAP out of precation. The market is fine right now but its price oracle can become unstable due to the vsdCRV exploit which can cause liquidations. https://t.co/HhvMfzXEe9 — Curve Finance (@CurveFinance) May 27, 2026 New Questions On Cross-Chain Safety For The Industry This StakeDAO exploit falls under the growing category of similar incidents demonstrating vulnerabilities in cross-chain infrastructure and privileged access governance. With the expansion of DeFi over many chains, it gets pretty complicated to secure communication channels. This event uniquely highlights risks associated with omnichain token standards like that of LayerZero’s OFT model. These frameworks provide great interoperability but they also expose new attack surfaces that need a lot of hardening. The private key itself is still the major point of failure, and this only emphasizes the importance of implementing strong key management policies: multi-signature schemes, hardware security modules, and perpetual monitoring. At the same time, the rapid action by Blockaid and Beefy Finance and Curve reveals an evolving capability within the ecosystem- to identify threats quickly and take counter measures denoting them. However, that much of the exploit highlights that it is still better to prevent than remediating. While investigations and collaborative recovery efforts are underway, users are encouraged to be careful, reassess their exposure, and pay close attention to official announcements. The next few days are important in establishing the true scale of the financial loss from this exploit and whether bigger pits lie beneath. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !
27 May 2026, 15:07
StakeDAO exploit creates 5.4 trillion vsdCRV but nets only $91K

PeckShield said the attacker bridged 43.7 ETH to Ethereum after minting trillions of vsdCRV, while EmberCN said most of the remaining tokens had insufficient liquidity to sell.
27 May 2026, 14:42
Compromised StakeDAO deployer key allegedly enabled forged LayerZero mint on Arbitrum

Blockchain security firm Blockaid said it detected an exploit targeting StakeDAO on Arbitrum. An attacker allegedly compromised the protocol’s deployer private key and minted more than 5.4 trillion vsdCRV tokens through manipulated cross-chain messaging. According to Blockaid, the attacker reconfigured the trusted LayerZero peer tied to StakeDAO’s vsdCRV OFT contract. They then sent a forged Continue reading "Compromised StakeDAO deployer key allegedly enabled forged LayerZero mint on Arbitrum"
27 May 2026, 12:57
AI Coding Agents Have Made All DeFi Unsafe, Security Expert Says

Manuel Aráoz, co-founder of smart contract security firm OpenZeppelin, went public on May 26 with a blunt recommendation that people should get out of DeFi, all of it, including the blue chips. According to him, AI-powered coding agents have tilted the security game so far toward attackers that no protocol can currently be trusted to hold user funds. Aráoz’s Warning The software engineer wrote in a post on X; “PSA: I now consider all of DeFi unsafe.” He also said he has been privately advising friends and family to exit all DeFi positions, naming Aave, MakerDAO, and Compound as protocols he no longer considers safe. His reasoning is based on asymmetry: defenders must find and fix every vulnerability, while attackers need only one to cause damage. Now, with AI coding agents capable of scanning smart contracts faster and more thoroughly than any human security team can, Aráoz feels the asymmetry has become unworkable. OpenZeppelin itself recently noted that crypto companies lost more than $3.4 billion to hacks in 2025; however, it blamed most of that theft on compromised credentials, operational failures, and code shipped between audits, rather than on smart contract bugs. This year has also seen a rollercoaster of attacks, with more than $650 million stolen in April alone. Of that amount, $292 million came from an exploit on KelpDAO, with another $285 million siphoned from Drift Protocol following what experts say were months of social engineering. Pushback From X Users Against that backdrop, Aráoz’s warning landed hard, but people immediately pushed back. One of those criticizing the post was Aave Chan Initiative founder Mark Zeller, who held nothing back. His counter was data-driven : he pointed out that fewer than 10% of DeFi issues in the past year stemmed from code-level vulnerabilities, with most failures, according to him, tracing back to poor risk parameters, collateral mismanagement, and weak operational security, not AI-assisted exploits. Several others echoed Zeller’s view, though with slightly less heat. Phoenix Lab co-founder Sam McPherson indicated that smart contracts of blue-chip DeFi platforms were “quite safe these days” and pointed to opsec failures as the real culprit behind most of the major hacks that have happened recently. Another X user, Polaris Finance developer Robert, made a similar distinction, saying that actual smart contract exploits are “almost non-existent these days.” He added that recent breaches have largely involved centralized components that allow human control rather than the immutable code beneath them. Ethereum co-founder Vitalik Buterin also has a different view on AI and its effect on crypto security, writing earlier this month that AI-assisted formal verification could actually make crypto systems more secure over time. According to him, developers can use AI to write both the code and the mathematical proofs of its correctness. The post AI Coding Agents Have Made All DeFi Unsafe, Security Expert Says appeared first on CryptoPotato .
27 May 2026, 12:50
Arbitrum-based StakeDAO contract hit by 5.4T vsdCRV exploit

A security incident has affected StakeDAO’s infrastructure on Arbitrum, with researchers identifying abnormal activity tied to its vsdCRV contract. The exploit is linked to a suspected infinite minting vulnerability that may have allowed the creation of an extremely large supply of synthetic staking tokens, reportedly around 5.4 trillion vsdCRV units. Early tracking also suggests that roughly $91,000 in funds were drained during the incident. The activity was first detected through unusual on-chain behavior involving staking derivatives connected to Curve-based liquidity positions. https://twitter.com/StakeDAOHQ/status/2059586800255910039?s=20 The irregular token movements did not match expected reward distribution patterns, prompting a closer review of the contract architecture. Exploit centres on vsdCRV minting and vault logic The affected system is StakeDAO’s vsdCRV mechanism, a liquid staking derivative tied to Curve Finance positions. In this setup, users deposit CRV or CRV-linked assets and receive vsdCRV tokens representing their share of staking power and rewards. According to on-chain analysis, the vulnerability appears to stem from the token minting and accounting framework used by the contract deployed on Arbitrum. Researchers believe the flaw may have created an “infinite mint” scenario in which the protocol failed to properly restrict token issuance. This type of vulnerability can emerge when supply calculations depend on manipulable variables such as share balances or reward indexes. In this case, the attacker is believed to have exploited the weakness to inflate the vsdCRV supply dramatically, with estimates pointing to a minting event involving approximately 5.4 trillion tokens. https://twitter.com/blockaid_/status/2059580455096123446?s=20 Once the inflated balance was created, it may have been used to extract value from the vault system or distort the protocol’s reward distribution process. The incident does not appear to be related to a private key compromise or wallet-level attack. Instead, preliminary analysis points to a failure in the smart contract’s internal accounting, where the system may have incorrectly validated minting conditions under specific transaction states. Funds drained while the exploit remains under monitoring Alongside the token inflation event, blockchain activity indicates that approximately $91,000 in assets were moved out of affected positions during the exploit window. The outflows suggest the attacker was able to convert the manipulated vsdCRV balance into transferable value before the anomaly was contained. The exploit was identified while activity was still ongoing, with researchers continuing to monitor contract interactions in real time. The incident remains under investigation as analysts work to determine the full scope of exposure. The activity has been concentrated on Arbitrum, where StakeDAO’s deployment interacts with Curve-related liquidity infrastructure. The combination of staking derivatives and automated reward systems has complicated efforts to immediately isolate the full impact, particularly while transactions continue propagating through DeFi liquidity pools. Preliminary findings point to accounting failure Preliminary findings suggest the core issue lies in how the contract calculates minting rights for vsdCRV. In systems like this, minting is typically tied to a ratio between deposited assets and issued shares. If that ratio can be manipulated through edge-case interactions or misconfigured state updates, it can create an opening for disproportionate token issuance. Once the attacker triggered the flaw, the contract appears to have accepted an invalid state transition that enabled excessive token creation. The inflated balance then disrupted the internal accounting framework used by the vault system. This type of exploit is commonly associated with DeFi protocols that rely heavily on share-based accounting models without strict invariant enforcement. When those safeguards fail, the system can incorrectly treat artificially created tokens as legitimate staking power. The post Arbitrum-based StakeDAO contract hit by 5.4T vsdCRV exploit appeared first on Invezz
27 May 2026, 10:25
Stake DAO Deployer Private Key Compromised: 5.4 Trillion vsdCRV Illegally Minted on Arbitrum

BitcoinWorld Stake DAO Deployer Private Key Compromised: 5.4 Trillion vsdCRV Illegally Minted on Arbitrum A critical security incident has hit the decentralized finance (DeFi) sector after the private key of a deployer for Stake DAO (SDT) was compromised on the Arbitrum network. According to a report from ChainCatcher, the breach resulted in the unauthorized minting of 5.4 trillion vsdCRV tokens by an attacker. Details of the Exploit The compromise specifically targeted the deployer wallet on Arbitrum, a leading Ethereum layer-2 scaling solution. Once the attacker gained control, they minted the massive supply of vsdCRV, a liquid staking derivative token. The hacker then swiftly swapped the minted tokens for approximately 43.7 ETH, valued at roughly $90,000 at the time of the transaction. This incident highlights a persistent vulnerability in DeFi: the reliance on single private keys for critical protocol functions. Unlike multi-signature wallets or decentralized governance mechanisms, a single compromised key can grant an attacker unchecked control over protocol operations, including token minting. Implications for Stake DAO and the Broader DeFi Ecosystem The exploit has immediate and long-term consequences for Stake DAO, a platform that allows users to stake assets and earn yield. The unauthorized minting of vsdCRV directly undermines the token’s peg and the integrity of the protocol’s liquidity pools. Users holding vsdCRV may face significant uncertainty regarding the token’s value and redeemability. This event is part of a troubling pattern in 2024 and 2025, where private key compromises have become one of the most common attack vectors in crypto. Industry analysts note that while smart contract bugs receive significant attention, the security of operational keys—often held by developers or deployers—remains a weak point. The attack also underscores the risks associated with cross-chain deployments, where a vulnerability on one network (Arbitrum) can affect a protocol’s overall reputation. Market and User Impact The immediate financial loss of approximately $90,000 in ETH is relatively small compared to the potential damage from the 5.4 trillion vsdCRV mint. The attacker’s ability to swap the tokens for ETH suggests that some liquidity was available, but the event likely caused significant slippage and loss for liquidity providers. The price of Stake DAO’s native SDT token may also face downward pressure as market confidence erodes. For users, the incident serves as a stark reminder to assess the security infrastructure of the protocols they interact with. Protocols that rely on single deployer keys or lack robust key management practices pose a higher risk. Conclusion The Stake DAO private key leak on Arbitrum, resulting in the minting of 5.4 trillion vsdCRV, is a serious security failure that exposes the fragility of centralized key management in decentralized systems. While the stolen funds are limited, the reputational damage and loss of user trust could be more enduring. The incident reinforces the need for DeFi protocols to adopt multi-signature governance, hardware security modules, and transparent key management policies to protect against similar exploits. FAQs Q1: What exactly happened in the Stake DAO incident? A: The private key of a Stake DAO deployer wallet on the Arbitrum network was leaked. An attacker used this key to mint 5.4 trillion vsdCRV tokens and then swapped them for approximately 43.7 ETH ($90,000). Q2: What is vsdCRV? A: vsdCRV is a liquid staking derivative token associated with Stake DAO. It represents a staked position in Curve DAO (CRV) tokens and is used within Stake DAO’s yield-generating strategies. Q3: How can users protect themselves from similar private key exploits? A: Users should prioritize protocols that use multi-signature wallets for critical operations, have transparent security audits, and implement robust key management practices such as hardware security modules (HSMs) or time-locked governance. Avoiding protocols that rely on a single deployer key is advisable. This post Stake DAO Deployer Private Key Compromised: 5.4 Trillion vsdCRV Illegally Minted on Arbitrum first appeared on BitcoinWorld .







































