StakeDAO vsdCRV Attacker limited to $91k with thin liquidity
An attacker collected more than 5.4 trillion vsdCRV on arbitrage after hacking a StakeDAO-related deployment key, although thin liquidity limited the proceeds to around $91,000.
Blockchain security firm PeckShield announced on Wednesday that the attacker converted some of the mined vsdCRV at a price of 43.7 Ether (ETH) to $91,000 and linked the funds to Ethereum. Onchain analyst EmberCN saw the attacker exchange 16.83 million vsdCRV, while the rest of the tokens had little meaningful liquidity to exit.
EmberCN estimated 5.4 trillion vsdCRV on paper to be about $763 billion, although the figure does not represent the actual profit of the attacker or the proven loss of the protocol.
The incident highlights the gap between token values and the value that can be extracted in decentralized finance exploitation, where attackers can withdraw large amounts of the token but only the available liquidity. In this case, the attacker's income is limited by the small amount of vsdCRV liquid pools.
StakeDAO is aware of the incident and has warned its users not to interact with vsdCRV.
Stake DAO said it was aware of the incident. Source: Stake DAO
event points to the deployment-key agreement
Shalev Keren, chief product officer and co-founder of crypto key-management firm Sodot, told Cointelegraph that the StakeDAO event was “structurally similar” to other deployment-key deals seen this year, including last month's Wasabi event, which poured $5.5 million into crypto.
Keren claims that a StakeDAO distribution key on Arbitrum was used to point the vsdCRV cross-chain bridge configuration to an attacker-controlled Ethereum contract. After 25 seconds, that contract sent a LayerZero message back to Arbitrum, making the legitimate Arbitrum token worth more than 5 trillion vsdCRV to the attacker.
Related: Crypto Hackers Steal $17 Billion Over Last 10 Years: Defillama
“There is no smart contract error here and no flaw in LayerZero,” Keren said. “There is one private key that controls a unique configuration function, with no multiple signatures and no delay between a configuration change and the device's onchain.”
Karen A broader issue for Diffie protocols in 2026 is not just whether contracts are auditable, but whether the operational keys behind contracts will continue to be single points of failure.
Magazine: ETH Bearish Recovery, Tom Lee Buys, XRP ‘To Explode': Market Moves
