Stake DAO Arbitrum Exploit Exposes Single-Key Risk

An attacker used a compromised Stake DAO deployer key on Arbitrum on Wednesday to mint roughly 5.4 trillion fake Vote-Boosted sdCRV (vsdCRV) tokens and then swapped them for ether through a public routing service, bypassing on-chain controls.

On-chain signals traced the breach to a Stake DAO deployer wallet. The attacker used the key to reset the LayerZero v2 bridge peer for vsdCRV. About 25 seconds later a forged cross-chain message created the enlarged vsdCRV supply on Arbitrum. The attacker routed the minted tokens through MetaMask’s public router to convert them into ether. Security checks on the involved smart contracts did not find code vulnerabilities tied to the incident.

The incident centers on privileged operational keys rather than contract bugs. Keys that can change bridge peer settings or upgrade implementations sit outside the smart-contract logic auditors typically review. That architecture allowed an attacker to alter cross-chain configuration and produce a forged mint even though the contracts behaved as designed.

Similar single-key incidents occurred earlier this year. A compromised deployer wallet in April pulled roughly $4.5 million from vaults across four chains. Also in April, Drift Protocol lost about $285 million on Solana. A bridge-related freeze on Arbitrum followed a separate exploit that removed roughly $292 million. Another protocol recorded an unauthorized $80 million mint. Each of those projects had passed security audits before the breaches.

Teams responding to such incidents commonly move to freeze affected assets, run forensic analyses and update operational procedures. In the Arbitrum case the attacker converted counterfeit vsdCRV into ether via a public router, a step that can complicate tracing and recovery when funds move quickly through pools and across chains.

Shalev Keren, co-founder of Sodot, warned that audits do not address whether a small set of operational keys should remain on a single device. He urged that multisignature wallets sit between deployer keys and sensitive actions such as minting, and recommended hardware-backed key custody and time delays for high-privilege configuration changes.

The investigation into the Stake DAO exploit is ongoing. Stake DAO and related teams are continuing to assess the scope of the loss and any possible remediation.