Stake DAO exploit update: Key products unaffected, bridge closed

Stake DAO said its preliminary review found that an unauthorized party minted vsdCRV on Arbitrum during the security incident reported earlier this week.

• Stake DAO said an attacker minted vsdCRV on Arbitrum during the security incident.
• The team said mainnet backing was secured and no backing funds were seizable by the attacker.
• Boosted yields, Liquid Lockers, Votemarket and Morpho lending were assessed as unaffected.

The project said contributors secured the vsdCRV backing on Ethereum mainnet and closed the vsdCRV bridge. Stake DAO said this contained the incident to Arbitrum and stopped the attacker from seizing the mainnet backing.

Stake DAO secures mainnet backing

Stake DAO said, “preliminary investigation indicates an unauthorised party (attacker) minted vsdCRV on Arbitrum.” The statement followed earlier reports that security firms had tracked a large unauthorized mint tied to the protocols vsdCRV token.

Update on yesterdays incident: preliminary investigation indicates an unauthorised party (attacker) minted vsdCRV on Arbitrum.

As crypto.news reported yesterday, Blockaid said the attacker minted more than 5.4 trillion vsdCRV on Arbitrum and began swapping tokens for ETH. PeckShield also tracked part of the funds moving into 43.78 ETH before being bridged to Ethereum.

The latest update narrows the risk area. Stake DAO said contributors moved quickly to protect the vsdCRV backing on mainnet. The team added that there were “no funds seizable by the attacker” from that backing.

Stake DAO also closed the vsdCRV bridge. That step was aimed at stopping the exploit from spreading beyond Arbitrum and limiting further damage while the review continues.

Key products remain unaffected

Stake DAO said its current assessment shows that Boosted yields, Liquid Lockers, Votemarket and Stake DAO lending on Morpho were unaffected by the incident.

The statement matters for users because those products form a major part of Stake DAOs yield and governance services. The project did not report any direct issue affecting those products in its latest update.

Still, the team did not say the full review had ended. It described the findings as current and preliminary, meaning the final scope could change if security teams find new information.

Stake DAO said law enforcement remains involved and security partners are assisting the review. The project also said it would share more information later.

Arbitrum asdCRV market is being sunset

Stake DAO said the Arbitrum asdCRV Llamalend market is being sunset after the incident. It told crvUSD depositors that they can move their funds to other Llamalend markets.

That step gives users a clearer route to reduce exposure to the affected market. It also shows that the protocol is taking a product-level response, not only a technical bridge response.

The update did not state that asdCRV itself was exploited. The main confirmed issue remains the unauthorized minting of vsdCRV on Arbitrum.