DeFi has exploded again! The StakeDAO deployer's private key was leaked, and the attacker minted 5.4 trillion vsdCRV out of thin air on Arbitrum and is currently swapping them for ETH.

Blockchain security firm Blockaid has detected that Stake DAO is under attack on Arbitrum, with the attacker exploiting a leaked deployer private key to mint over 5.4 trillion vsdCRV (Vote Boosted sdCRV) tokens out of thin air via the LayerZero v2 OFT cross-chain protocol, and is currently swapping them for ETH. Blockaid indicates the suspected root cause is a private key leak, and the attack is still ongoing. (Background: OpenZeppelin co-founder calls for exit from all DeFi: AI has tipped the offense-defense balance, even blue-chip Aave is unsafe) (Context: Kelp DAO announces full restoration of rsETH: 5 weeks ago $293M was stolen by North Korean hackers) Key Highlights - StakeDAO's deployer private key was compromised, and the attacker minted over 5.4 trillion vsdCRV on Arbitrum and swapped them for ETH - Attack method: exploited the leaked private key to reconfigure LayerZero v2 OFT cross-chain peer nodes, redirecting trust to a malicious contract Blockchain security firm Blockaid issued a real-time alert, detecting that DeFi yield protocol Stake DAO is under an ongoing attack on Arbitrum. The attacker has minted over 5.4 trillion vsdCRV (Vote Boosted sdCRV) tokens and is currently swapping them for ETH. Blockaid determined the root cause to be the leak of the StakeDAO deployer private key (0x000755F…1ff62). After obtaining the private key, the attacker called the setPeer function on the vsdCRV token contract, reconfiguring the cross-chain peer node settings of LayerZero v2 OFT (Omnichain Fungible Token), redirecting the trust relationship originally pointing to the legitimate vsdCRVOFTAdapter on Ethereum mainnet to a malicious contract deployed by the attacker. After completing the trust redirection, the attacker executed cross-chain minting on Arbitrum, producing massive amounts of vsdCRV out of thin air and beginning to dump them. Another LayerZero-related cross-chain vulnerability This is not the first time LayerZero's cross-chain architecture has become an attack vector this year. In April, Kelp DAO was hit by North Korean hackers who stole $293 million, with the attackers similarly exploiting weaknesses in LayerZero's cross-chain verification mechanism. The difference is that Kelp DAO involved a single-point verifier of the DVN (Decentralized Verifier Network) being compromised, while StakeDAO involved the leak of the deployer private key itself, allowing the attacker to directly modify contract settings. StakeDAO's vsdCRV is a governance token in the Curve ecosystem, allowing sdCRV holders to boost voting weight by delegating veSDT. This attack is still ongoing, and the final loss amount depends on how much ETH the attacker can drain from the liquidity pools. Blockaid urges all users to suspend all StakeDAO-related operations. Just today, OpenZeppelin co-founder Manuel Araoz publicly declared "all DeFi is unsafe," and the leak of StakeDAO's deployer private key once again confirms his judgment. FAQ What was the attack method in this StakeDAO incident? After obtaining StakeDAO's deployer private key, the attacker used that permission to reconfigure the peer nodes (setPeer) of the LayerZero v2 OFT cross-chain contract, redirecting trust from the legitimate Ethereum-side contract to a malicious contract, then minted over 5.4 trillion vsdCRV out of thin air on Arbitrum and swapped them for ETH. What is the vsdCRV token? vsdCRV is Stake DAO's "Vote Boosted sdCRV" token, part of the Curve ecosystem's governance system. Holders can boost voting weight by delegating veSDT, used for Curve-related liquidity incentive voting. What the attacker minted was the cross-chain version on Arbitrum.