Massive 5.4 trillion vsdCRV minting in StakeDAO breach yields mere $91K profit

A security breach involving StakeDAO's deployer key on Arbitrum enabled an exploiter to create 5.4 trillion vsdCRV tokens, though shallow liquidity pools restricted actual gains to approximately $91,000.

Following what appears to be a compromise of a StakeDAO-associated deployer key, an exploiter successfully minted over 5.4 trillion vsdCRV tokens on Arbitrum, although limited liquidity conditions restricted actual profits to roughly $91,000.

On Wednesday, cybersecurity company PeckShield reported that the exploiter converted a portion of the newly minted vsdCRV into 43.7 Ether (ETH), valued at approximately $91,000, before transferring the assets to Ethereum. According to onchain researcher EmberCN, the malicious actor exchanged roughly 16.83 million vsdCRV, with the bulk of the remaining tokens lacking sufficient liquidity for conversion to other assets.

While EmberCN calculated the 5.4 trillion vsdCRV tokens to be worth approximately $763 billion in theoretical value, this number doesn't reflect the actual profit extracted by the exploiter or the verified losses incurred by the protocol.

This security breach underscores the significant disparity between theoretical token valuations and the actual extractable value in decentralized finance security incidents, where malicious actors may generate massive quantities of tokens but can only convert what existing liquidity permits. For this particular exploit, the perpetrator's actual gains were constrained by the limited depth of available vsdCRV liquidity pools.

StakeDAO acknowledged the security incident and issued an advisory urging its community members to refrain from engaging with vsdCRV tokens.

Stake DAO warning — Stake DAO confirmed its awareness of the security breach. Source: Stake DAO

Incident points to a deployer-key compromise

Shalev Keren, who serves as chief product officer and co-founder of cryptocurrency key-management platform Sodot, explained to Cointelegraph that the StakeDAO security breach bore "structurally similar" characteristics to other deployer-key compromises observed throughout this year, including last month's Wasabi incident, which resulted in the theft of approximately $5.5 million worth of cryptocurrency.

According to Keren, an individual StakeDAO deployer key operating on Arbitrum was exploited to redirect the vsdCRV cross-chain bridge settings to a malicious contract under the attacker's control on Ethereum. Approximately 25 seconds following this action, the compromised contract transmitted a LayerZero message back to Arbitrum, which triggered the authentic Arbitrum token contract to create more than 5 trillion vsdCRV tokens directly to the attacker's wallet.

There is no smart contract bug here and no flaw in LayerZero. There is one private key, controlling one privileged configuration function, with no multi-signature and no delay between the configuration change going through and the mint clearing onchain.
Shalev Keren, Sodot

According to Keren, the more significant concern facing DeFi protocols heading into 2026 extends beyond merely ensuring that smart contracts undergo auditing processes, but rather whether the operational keys managing those contracts continue to represent single points of failure.