Stake DAO Hit by Hack, 5.4 Trillion vsdCRV Tokens Minted Without Authorization

DeFi platform Stake DAO has suffered a hack involving its derivative token, vsdCRV. The attacker minted tokens on the Arbitrum network on a multi-trillion scale and is swapping them for Ether.

The Block reported on May 27 that multiple blockchain security firms said Stake DAO was under an ongoing attack. Blockaid said the attacker minted more than 5.4 trillion vsdCRV tokens on Arbitrum and was exchanging them for ETH.

PeckShield said part of the stolen funds had been converted into 43.78 ETH, worth about $91,000, and bridged to the Ethereum mainnet.

vsdCRV is a yield-bearing derivative token linked to the Curve Finance ecosystem. It is used in Stake DAO's automated yield strategies.

Stake DAO said it was aware of the incident and advised users not to interact with vsdCRV.

Security firms pointed to a possible compromise of Stake DAO's deployer private key as the cause of the attack. BlockSec said the attacker obtained the deployer private key, assigned an arbitrary peer to vsdCRV, and then forged malicious messages to mint about 5.44 trillion vsdCRV tokens without limit.