Stake DAO, a platform that lets users automatically earn rewards with their cryptocurrency and participate in governing the platform, is currently dealing with a security issue. Someone managed to create over 5.4 trillion vsdCRV tokens on the Arbitrum network, potentially causing financial harm.
The blockchain security company Blockaid first reported an attack, noting on X (formerly Twitter) that Stake DAO on Arbitrum was being targeted. They explained that the attacker had created over 5.4 trillion vsdCRV tokens and was currently trading them for Ethereum.
Security firm PeckShield has verified that 5.4 trillion vsdCRV tokens were created on the Arbitrum network. The hacker then exchanged some of these tokens for 43.781 ETH (worth approximately $91,170) and transferred the funds to Ethereum using the address 0xeF3C…aa25.
Stake DAO quickly responded to the issue, advising users to avoid interacting with vsdCRV.
We are aware of the ongoing situation.
Please do not interact with vsdCRV.— Stake DAO (@StakeDAOHQ) May 27, 2026
How the Attack Worked
Blockaid analyzed the attack and found that the private key controlling Stake DAO’s token deployment (0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62) was stolen. The attacker then used this key to change settings on the vsdCRV token contract, specifically the LayerZero connection. This redirected legitimate transactions away from the correct system and towards a fake contract controlled by the attacker.
The attacker exploited a vulnerability to send a fake message between blockchains, which caused 5.4 trillion vsdCRV tokens to be created and sent directly to their account.
According to BlockSec’s Phalcon team, the attacker gained access to the deployer’s private key and used it to connect to vsdCRV through a manipulated connection. This allowed them to send a fake message that caused approximately 5.44 trillion vsdCRV tokens to be created and sent to their own account.
Blockaid identified several key pieces of evidence on the blockchain, including the initial deployment of the malicious program on Ethereum, a transaction involving cross-chain minting, a preparatory call made on Arbitrum before the minting process, and the final mint transaction on Arbitrum itself.
$763 Billion in Nominal Value, $91,000 in Actual Extraction
The exploit is notable for the enormous gap between nominal token value and realizable proceeds.
A crypto analyst named EmberCN highlighted that while 5.4 trillion vsdCRV tokens have a face value of around $763 billion, they are very difficult to trade due to extremely low liquidity – trading pools only hold a few tens of thousands of dollars worth. The attacker successfully exchanged about $2.35 million worth of vsdCRV for $91,000 in ETH using various decentralized exchanges like Curve and KyberSwap.
Analysis of the blockchain data reveals the attacker methodically drained available funds. They repeatedly exchanged around 963,820 vsdCRV for CRV tokens on Curve, then swapped those CRV tokens for ETH on KyberSwap, completely emptying the liquidity pools in the process. Now, the vast number of tokens remaining can no longer be converted into other assets.
EmberCN pointed out similarities to the Echo Protocol hack from the previous week. In that incident, an attacker made off with $76.45 million in eBTC, but could only actually cash out $860,000 because of limited funds available.
Another Deployer Key Compromise in 2026
The recent attack on Stake DAO follows a troubling trend seen in 2026’s biggest security breaches. Instead of flaws in the code itself, the most expensive exploits this year have been caused by hackers gaining access to private keys.
Recent hacks in the cryptocurrency world highlight different security weaknesses. In April, Kelp DAO lost $292 million due to a fake message sent through LayerZero. Last week, StablR was exploited for $10.4 million because a single private key was compromised. And a $285 million loss at Drift Protocol in April stemmed from a months-long phishing campaign targeting team members, believed to be carried out by hackers linked to North Korea.
The timing is noteworthy. Only a day before the Stake DAO hack, OpenZeppelin co-founder Manuel Aráoz publicly stated he believes all of decentralized finance (DeFi) is currently unsafe. He explained that it’s much easier for attackers to find flaws in code than it is for security experts to fix them – attackers only need to find one weakness, while defenders must find and fix every single one. Aráoz even said he’d warned his friends and family to withdraw their money from DeFi platforms, even well-established ones like Aave, MakerDAO, and Compound.
April 2026 saw a record number of cryptocurrency hacks, with over $600 million stolen from various platforms. Unfortunately, May has continued this worrying trend, with recent attacks impacting THORChain, Verus Bridge, Echo Protocol, StablR, and Stake DAO.
As of now, Stake DAO hasn’t released a detailed explanation of what happened with the recent issue, nor have they shared how they plan to fix it. The problem seems to be continuing.
Read More
- GBP CNY PREDICTION
- Mark Zuckerberg & Wife Priscilla Chan Make Surprise Debut at Met Gala
- Elon Musk’s Mom Maye Musk Shares Her Parenting Philosophy
- Forza Horizon 6 Car List So Far: Confirmed Highlights, Cover Cars, DLC, and Rewards
- 10 Greatest Manga Endings of All Time
- Elon Musk’s Ex Ashley St. Clair Reveals When Romance Became “Weird”
- 10 Most Powerful Versions of Superman, Ranked
- 38 Years Later, Murder, She Wrote’s Most Overlooked Episode Still Pulls Off TV’s Greatest Crossover
- Hollow Knight: Silksong Guide – All 30 Lost Flea Locations
- 20 K-Dramas That Nailed the Perfect Ending
2026-05-27 15:50