Blockchain security firm Blockaid said it detected an exploit targeting StakeDAO on Arbitrum. An attacker allegedly compromised the protocol's deployer private key and minted more than 5.4 trillion vsdCRV tokens through manipulated cross-chain messaging. According to Blockaid, the attacker reconfigured the trusted LayerZero peer tied to StakeDAO's vsdCRV OFT contract. They then sent a forged cross-chain mint message that created 5,446,744,073,709 vsdCRV tokens on Arbitrum. The security firm said the exploit stemmed from a compromised deployer wallet rather than a flaw in the token contract itself. Unauthorized peer change preceded massive mint Blockaid said the attacker used the compromised deployer key to modify the setPeer() configuration on the LayerZero v2 OFT contract. The change allegedly redirected trust away from the legitimate Ethereum-side adapter toward an attacker-controlled contract. After the peer relationship changed, the attacker reportedly sent a forged cross-chain message that minted trillions of vsdCRV tokens from a null address. Independent on-chain investigators later reconstructed the exploit timeline. They traced the attacker's preparation wallets, bridge activity, and token dumping transactions across Arbitrum and Ethereum. According to the investigation thread, the attacker first funded wallets through Tornado Cash before using Relay and Stargate to move assets between chains. Attacker rapidly dumped minted tokens Investigators said the attacker swapped the newly minted tokens for ETH across multiple decentralized exchanges, including Curve, KyberSwap, MetaMask Router, and Enso. Despite the massive token mint, the actual extracted value appeared relatively limited. The investigation estimated the attacker ultimately removed roughly 43.9 ETH, worth about $91,000 at the time of the exploit. The funds were later bridged from Arbitrum back to Ethereum, where the ETH reportedly remained untouched at the time of writing. Exploit renews concerns around admin-key security The exploit has renewed scrutiny around operational security risks across cross-chain DeFi infrastructure. Rather than exploiting token math or contract logic directly, the attacker allegedly manipulated privileged trust configuration tied to LayerZero peer verification. The incident highlights how many cross-chain systems remain heavily dependent on admin-key security and trusted infrastructure relationships. Compromising those permissions can effectively grant attackers mint authority even when underlying smart contracts function as intended. Industry figures warn DeFi security risks are expanding The exploit also fueled broader debate around the state of DeFi security. Manuel ArΓ‘oz, founder of OpenZeppelin, said on X that he now considers "all of DeFi unsafe," arguing AI-powered coding agents are becoming increasingly effective at identifying vulnerabilities across operational infrastructure, protocol design, and security configuration. Marc Zeller pushed back on the claim, arguing that most recent DeFi failures stem from poor operational security and risk management rather than flaws in smart contract codebases themselves. The discussion followed several recent exploits involving: admin-key compromises, bridge infrastructure, and protocol configuration failures. Final Summary Blockaid said a compromised StakeDAO deployer key allegedly allowed attackers to forge LayerZero mint messages and mint trillions of vsdCRV tokens. The exploit renewed debate around admin-key security and whether growing DeFi complexity is expanding systemic attack surfaces.
Compromised StakeDAO deployer key allegedly enabled forged LayerZero mint on Arbitrum
This article was originally published on AMBCrypto and is republished here under RSS syndication for informational purposes. All rights and intellectual property remain with the original author. If you are the author and wish to have this article removed, please contact us at [email protected].
