← All Reports

StakeDAO vsdCRV Investigation: Governance Exploit Analysis

📅 2025-05-28
governance stakedao curve exploit

Stake DAO vsdCRV Attack Investigation Report

Investigation Date: May 27, 2026

Incident Type: Private Key Leakage Leading to Unlimited Cross-Chain Token Minting

Loss Amount: ~$91,000 (Final Profit)

Attacked Token: vsdCRV (Vote-Boosted sdCRV)

Attack Chain: Arbitrum

📋 Executive Summary

On May 27, 2026, the DeFi protocol Stake DAO suffered a security attack. Attackers obtained the protocol's deployer private key on the Arbitrum chain, using this key to manipulate the LayerZero cross-chain bridge configuration, minting 5.4 trillion vsdCRV tokens, and exchanging a portion for 44 ETH (valued at approximately $91,000), subsequently cross-chaining to the Ethereum mainnet.

Key Transaction Hashes:

  • Minting Transaction: 0x7489ec5f5dba1de6e6c92f2c0f1dd93bd4a2f307c3bd2305b2f93f569a3e5fe5
  • LayerZero Configuration Change Transaction

🔍 Attack Vector Analysis

Attack Flow

  • Private Key Acquisition: Attackers obtained Stake DAO's Arbitrum deployer key
  • Configuration Manipulation: Used the key to reset the peer configuration of vsdCRV's LayerZero OFT contract
  • Cross-Chain Message Forgery: Sent forged cross-chain messages through a malicious peer
  • Unlimited Minting: Contract accepted forged messages, unconditionally minting 5.4 trillion vsdCRV
  • Rapid Exchange: Exchanged tokens for ETH via MetaMask public router
  • Cross-Chain Transfer: Cross-chained ETH to Ethereum mainnet

    • Timeline Analysis

    • T+0 seconds: Attacker used deployer key to reset LayerZero peer configuration
    • T+25 seconds: Malicious contract sent cross-chain message via LayerZero
    • T+25 seconds: Contract minted 5.4 trillion vsdCRV to attacker address
    • Immediately: Attacker exchanged tokens for ETH through DEXs like Uniswap
    • Subsequently: Cross-chained ETH to Ethereum mainnet

    Technical Details

    According to BlockSec analysis:

    > "The attacker obtained the deployer key and set an arbitrary peer for vsdCRV. Using this peer, they sent a malicious message, triggering an unconditional minting of approximately 5.44T vsdCRV to the attacker address."

    According to Sodot co-founder Shalev Keren analysis:

    > "No smart contract vulnerabilities, no LayerZero flaws. Just one private key controlling a privileged configuration function, no multisig, no delay between configuration change and on-chain minting."

    📊 Fund Flow Analysis

    | Step | Asset | Amount |

    |-----|-------|--------|

    | Minting | vsdCRV | 5,446,744,073,709 |

    | Exchange | ETH | ~44 ETH |

    | Cross-Chain | ETH (Arbitrum→Ethereum) | ~44 ETH |

    Stake DAO officially confirmed the attacker address and attack transaction.

    ⚠️ Systemic Risk Analysis

    2026 DeFi Security Landscape

    This attack continues the severe security situation in the DeFi sector in 2026:

    • April 2026: DeFi attacks resulted in $641.67 million in losses (highest monthly figure for the year)
    • Since April: Over $600 million stolen, including:

    - Kelp DAO: $292 million

    - Drift Protocol: $285 million

    - Wasabi Protocol: $45 million

    Common Patterns

    OpenZeppelin founder Manuel Aráoz commented:

    > "I think all DeFi is insecure."

    There is a fundamental asymmetry between attackers and defenders:

    • Attackers only need to find one vulnerability
    • Defenders must protect all possible attack surfaces

    "Deployer Key" Risk

    This attack shares similar patterns with:

    • Wasabi Protocol (April 2026): Deployer key leakage, $45 million lost across 4 chains
    • Multiple 2026 DeFi attacks: All involving single-point-of-failure from privileged keys

    🛡️ Community Protection Recommendations

    For Protocol Developers

  • Remove Single Points of Failure: Avoid using a single private key to control critical configurations
  • Implement Timelocks: Configuration changes should require multi-signature and delay mechanisms
  • Audit Focus: Include key management and configuration permissions in security audits
  • Emergency Pause: Deploy emergency pause mechanisms to respond to key leakage

    • For Users

  • Monitor Protocol Announcements: Follow project security alerts and official statements
  • Limit Exposure: Avoid keeping large amounts of assets in a single protocol long-term
  • Respond to Events: Immediately withdraw affected assets when hearing about security incidents

    • 📝 Unique Analytical Perspective

    Structural Vulnerabilities in LayerZero Cross-Chain Bridges

    This attack reveals potential issues in cross-chain bridge design:

    • Cross-chain message verification depends on peer configuration: If peer is maliciously changed, the entire verification mechanism fails
    • Configuration changes without delay: Complete from configuration change to fund theft in 25 seconds
    • Single point of authority: Deployer key controls critical cross-chain configuration

    DeFi's "False Decentralization" Dilemma

    Many protocols claim "decentralization," but their actual security relies on:

    • A single private key (private key leak = protocol hacked)
    • A single deployer (concentrated operational risk)
    • Multisig but without delay (minimal actual protection)

    Industry Reflection

    This attack should prompt the entire industry to reflect:

    • What are we truly protecting?
    • Does "audit passed" equal "secure"?
    • Who should be responsible for private key leakage?

    📚 Data Sources

    Investigator: Onchain Shadow

    OPSEC Statement: This report is based on publicly available on-chain data and media reports, all information sourced from publicly available sources.

    Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.