1 hour ago
1
Someone just printed themselves 5.4 trillion governance tokens out of thin air. And they’re actively cashing out.
Stake DAO, a DeFi protocol that builds liquid lockers for governance tokens like CRV, is dealing with an active exploit on Arbitrum. An attacker used a compromised private key tied to the protocol’s deployer wallet to mint approximately 5.4 trillion vsdCRV tokens, a wrapped version of Stake DAO’s sdCRV token. The attacker has been swapping those freshly minted tokens for ether, draining value from liquidity pools in real time.
What happened and what is vsdCRV
Here’s the thing about vsdCRV. It sits inside Stake DAO’s “Boosted Vote Strategy,” functioning as a wrapper around sdCRV that enhances governance voting power through delegated veSDT. The problem is that whoever controlled the deployer key also controlled the ability to mint new vsdCRV. And they used that power to create a supply so absurdly large that the number barely fits on a calculator. The attacker then began routing those tokens through swaps, converting vsdCRV into ETH across available liquidity.
Stake DAO uses LayerZero for cross-chain token movement, including its Arbitrum deployments. While LayerZero itself doesn’t appear to have been directly compromised, a token that was supposed to represent locked governance power on Ethereum mainnet was instead being minted without backing on Arbitrum and sold into whatever liquidity existed.
No verified postmortem or confirmed loss estimates have been disclosed by the Stake DAO team. The exploit appears to be ongoing, meaning the final damage figure could still be climbing.
Key compromise vs. smart contract exploit
The distinction between a key compromise and a smart contract vulnerability matters more than most people realize. Smart contract bugs are, in theory, fixable. A compromised private key means someone gained access to the credentials that control critical protocol functions. The deployer wallet had mint authority over vsdCRV on Arbitrum, and that authority had insufficient safeguards around it.
Multisig wallets, timelocks, and hardware security modules exist precisely to prevent this kind of single-point-of-failure scenario. Whether Stake DAO had any of those protections in place for its Arbitrum deployer is a question the team will eventually need to answer publicly.
Ripple effects across the Curve ecosystem
Stake DAO occupies a specific niche in the so-called “Curve Wars,” the ongoing competition among protocols to accumulate CRV governance power and direct Curve Finance’s liquidity incentives. Protocols like Convex Finance and Yearn Finance compete in the same space. Stake DAO’s liquid locker product, sdCRV, was its primary weapon in that fight.
Liquidity pools that include sdCRV or vsdCRV could see severe imbalances as the attacker dumps inflated token supply into them. Liquidity providers in those pools face impermanent loss or worse. And anyone holding sdCRV needs to be asking hard questions about whether the underlying CRV backing is intact or whether the exploit has created a supply mismatch.
What this means for investors
If you hold sdCRV, vsdCRV, or have liquidity deployed in pools that touch either token, the situation demands immediate attention. Until Stake DAO publishes a postmortem and confirms the exploit vector has been closed, the risk profile of these assets is significantly elevated.
Competitors in the liquid locker space, particularly Convex Finance, could benefit from a flight to perceived safety. Whether that migration happens depends on how quickly Stake DAO can contain the damage and whether the CRV backing behind sdCRV remains whole.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
English (US) · 