StakeDAO vsdCRV Attacker Limited to $91K By Thin Liquidity
WikiBit 2026-05-28 23:01
An attacker minted more than 5.4 trillion vsdCRV on Arbitrum after a suspected compromise of a StakeDAO-linked deployer key, though thin liquidity limited
Incident points to a deployer-key compromise
Shalev Keren, chief product officer and co-founder of crypto key-management firm Sodot, told Cointelegraph that the StakeDAO incident was “structurally similar” to other deployer-key compromises seen this year, including the Wasabi incident last month, which drained about $5.5 million in crypto.
Keren said a single StakeDAO deployer key on Arbitrum was used to repoint the vsdCRV cross-chain bridge configuration to an attacker-controlled contract on Ethereum. About 25 seconds later, that contract sent a LayerZero message back to Arbitrum, causing the legitimate Arbitrum token to mint more than 5 trillion vsdCRV to the attacker.
“There is no smart contract bug here and no flaw in LayerZero,” Keren said. “There is one private key, controlling one privileged configuration function, with no multi-signature and no delay between the configuration change going through and the mint clearing onchain.”
Keren said the broader issue for DeFi protocols in 2026 is no longer only whether contracts are audited, but whether the operational keys behind those contracts remain single points of failure.
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
- Crypto token price conversion
- Exchange rate conversion
- Calculation for foreign exchange purchasing
0.00