DeFi exploit hits Stake DAO as attacker swaps vsdCRV for ETH

Blockaid said the suspected root cause was a compromised Stake DAO deployer private key. According to the firm, the attacker used that access to reconfigure the LayerZero v2 OFT peer for the vsdCRV token contract.

That change allegedly redirected trust from the legitimate Ethereum-side adapter to a malicious contract controlled by the attacker. The attacker then sent a forged cross-chain message that triggered the minting of roughly 5.44 trillion vsdCRV.

BlockSec described the attack as a case where the attacker appeared to obtain the deployer‘s private key and set an arbitrary peer for vsdCRV. The firm said the forged message then caused unconditional minting to the attacker’s address.

.@StakeDAOHQ was reportedly exploited via a deployer key compromise, resulting in ~5.44T $vsdCRV minted to the attacker. The attacker appears to have obtained the deployers private key and set an arbitrary peer for $vsdCRV. Using that peer, they forged a malicious message that…

— BlockSec Phalcon (@Phalcon_xyz) May 27, 2026

The incident shows how privileged access remains a major risk in DeFi. Even when smart contract code works as designed, a compromised deployer key can give attackers the ability to change trusted settings and trigger losses.

DeFi security concerns deepen

The Stake DAO exploit follows a series of recent DeFi incidents. As previously reported by crypto.news, OpenZeppelin co-founder Manuel Aráoz said he now considers “all of DeFi” unsafe and has advised friends and family to exit DeFi positions.

Aráoz argued that coding agents are becoming strong tools for finding vulnerabilities, while defenders still need to fix every weakness before attackers find one. His comments came as DeFi protocols lost about $629.7 million to hacks in April.

Separately, Wasabi Protocol lost more than $5 million across Ethereum, Base, Berachain, and Blast after a compromised admin key allowed attackers to upgrade contracts and drain funds.

That case resembles the current Stake DAO concern because both incidents involved privileged key access rather than a simple market manipulation event. Wasabi also warned users not to interact with its contracts while the team investigated.

Cross-chain risks remain in focus

The Stake DAO incident also points back to cross-chain token risks. Security reports have tracked repeated attacks involving bridges, peer settings, and message validation across chains in 2026.

BlockSecs May security roundup listed multiple incidents across Ethereum, Sui, BNB Chain, Base, Blast, and Berachain, with total losses of about $15.9 million over a two-week period. Its blog also identified Wasabi as a key-compromise case.

In April, Kelp DAO suffered one of the years largest DeFi exploits after attackers drained about $292 million from a LayerZero-powered bridge. The breach raised concerns about cross-chain asset backing across more than 20 networks.