Attacker mints 5.44T vsdCRV on Arbitrum; swaps for ETH
Attacker who obtained a Stake DAO deployer key minted about 5.44 trillion vsdCRV on Arbitrum and is swapping tokens for ETH; about 43.78 ETH has been bridged to Ethereum.
Security firms reported that an attacker who obtained a Stake DAO deployer private key minted roughly 5.44 trillion vsdCRV on the Arbitrum network and is converting the tokens to ETH. On-chain trackers show about 43.78 ETH, roughly $91,000 at current prices, has been swapped and bridged to Ethereum.
Stake DAO confirmed it is aware of the incident and advised users to avoid interacting with vsdCRV while investigators review the situation.
vsdCRV, or vote-boosted sdCRV, is a yield-related derivative tied to the Curve Finance ecosystem and is used inside Stake DAO’s automated yield strategies. The minted tokens are the derivative used within those strategies, not Curve’s native CRV tokens.
Researchers traced the activity to a compromised deployer private key that allowed the attacker to change contract parameters. Security teams reported the attacker set an arbitrary peer for vsdCRV and then forged a message that caused the contract to mint tokens without the normal controls. BlockSec explained: “The attacker appears to have obtained the deployer's private key and set an arbitrary peer for vsdCRV. Using that peer, they forged a malicious message that triggered unconditional minting of ~5.44T vsdCRV to their address.”
On-chain alerts initially flagged unusually large transfers and swaps on Arbitrum. Security teams followed those transactions and traced portions of the minted supply being swapped for small amounts of ETH and moved to Ethereum through a cross-chain bridge.
One security firm reported that the bridged portion totaled about 43.78 ETH. Investigators continue to monitor addresses and trace subsequent swaps and movements.
The incident occurs amid a recent run of DeFi exploits since April that have led to losses exceeding $600 million, including a single incident that removed $292 million from a protocol. Security experts have warned that attackers can automate discovery and exploitation at scale; Manuel Aráoz of OpenZeppelin described “all of DeFi” as unsafe, citing an asymmetry between attackers and defenders.
Stake DAO and external security teams are continuing active monitoring and analysis. The project has not released a full timeline or a remediation plan, and it is not yet known whether the newly minted tokens can be recovered or how the deployer key was exposed.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
