Written by Ezra Reguerra , Staff Writer.Reviewed by Christina Comben , Staff Writer.Written by Ezra Reguerra , Staff Writer.Reviewed by Christina Comben , Staff Writer.StakeDAO exploit creates 5.4 trillion vsdCRV but nets only $91K
Latest NewsPublishedMay 27, 2026PeckShield said the attacker bridged 43.7 ETH to Ethereum after minting trillions of vsdCRV, while EmberCN said most of the remaining tokens had insufficient liquidity to sell.
An attacker minted more than 5.4 trillion vsdCRV on Arbitrum after a suspected compromise of a StakeDAO-linked deployer key, though thin liquidity limited the realized proceeds to about $91,000.
Blockchain security firm PeckShield said Wednesday the attacker swapped part of the minted vsdCRV for 43.7 Ether (ETH), worth about $91,000, and bridged the funds to Ethereum. Onchain analyst EmberCN said the attacker swapped about 16.83 million vsdCRV, while the remaining tokens had little meaningful liquidity to exit.
EmberCN estimated the 5.4 trillion vsdCRV at about $763 billion on paper, though the figure does not represent the attacker’s realized profit or the protocol’s confirmed loss.
The incident highlights the gap between nominal token values and extractable value in decentralized finance exploits, where attackers can mint enormous token amounts but only cash out what available liquidity allows. In this case, the attacker’s proceeds were limited by the small size of vsdCRV liquidity pools.
StakeDAO said it was aware of the incident and warned its users not to interact with vsdCRV.
Stake DAO said it was aware of the incident. Source: Stake DAO
Incident points to a deployer-key compromise
Shalev Keren, chief product officer and co-founder of crypto key-management firm Sodot, told Cointelegraph that the StakeDAO incident was “structurally similar” to other deployer-key compromises seen this year, including the Wasabi incident last month, which drained about $5.5 million in crypto.
Keren said a single StakeDAO deployer key on Arbitrum was used to repoint the vsdCRV cross-chain bridge configuration to an attacker-controlled contract on Ethereum. About 25 seconds later, that contract sent a LayerZero message back to Arbitrum, causing the legitimate Arbitrum token to mint more than 5 trillion vsdCRV to the attacker.
Related: Crypto hackers stole $17B over past 10 years: DefiLlama
“There is no smart contract bug here and no flaw in LayerZero,” Keren said. “There is one private key, controlling one privileged configuration function, with no multi-signature and no delay between the configuration change going through and the mint clearing onchain.”
Keren said the broader issue for DeFi protocols in 2026 is no longer only whether contracts are audited, but whether the operational keys behind those contracts remain single points of failure.
Magazine: ETH bears growling, Tom Lee’s buying, XRP to ‘explode’: Market Moves
Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently.More on the subject
South Korea charges CATFI memecoin operators in first DEX rug-pull case: Report7 hours agoZoltan Vardai
Scammers make $400K through fake Uniswap ads on GoogleMay 26, 2026Martin Young
Squid and Safe Labs say third-party module behind $3.2M exploitMay 25, 2026Helen PartzSouth Korea charges CATFI memecoin operators in first DEX rug-pull case: Report7 hours agoZoltan VardaiScammers make $400K through fake Uniswap ads on GoogleMay 26, 2026Martin YoungSquid and Safe Labs say third-party module behind $3.2M exploitMay 25, 2026Helen Partz
