Stake DAO faces ongoing exploit as attacker mints 5.4T vsdCRV on Arbitrum

Someone just printed themselves 5.4 trillion governance tokens out of thin air. And they’re actively cashing out.

Stake DAO, a DeFi protocol that builds liquid lockers for governance tokens like CRV, is dealing with an active exploit on Arbitrum. An attacker used a compromised private key tied to the protocol’s deployer wallet to mint approximately 5.4 trillion vsdCRV tokens, a wrapped version of Stake DAO’s sdCRV token. The attacker has been swapping those freshly minted tokens for ether, draining value from liquidity pools in real time.

What happened and what is vsdCRV

Here’s the thing about vsdCRV. It sits inside Stake DAO’s “Boosted Vote Strategy,” functioning as a wrapper around sdCRV that enhances governance voting power through delegated veSDT. The problem is that whoever controlled the deployer key also controlled the ability to mint new vsdCRV. And they used that power to create a supply so absurdly large that the number barely fits on a calculator. The attacker then began routing those tokens through swaps, converting vsdCRV into ETH across available liquidity.

Stake DAO uses LayerZero for cross-chain token movement, including its Arbitrum deployments. While LayerZero itself doesn’t appear to have been directly compromised, a token that was supposed to represent locked governance power on Ethereum mainnet was instead being minted without backing on Arbitrum and sold into whatever liquidity existed.