Home
News
Details

Stake DAO Suffers Arbitrum Attack, 54.4 Billion vsdCRV Illegally Minted

icon币界网
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
ETH
$2,042.011.42%
AI summary iconSummary

expand icon
Stake DAO reported a security breach on Arbitrum after an attacker exploited a compromised private key to manipulate the LayerZero v2 configuration of vsdCRV, resulting in the unauthorized minting of approximately 54.4 billion vsdCRV. The attacker has already converted a portion of the tokens into 43.78 ETH and transferred the funds to Ethereum. Stake DAO is investigating the on-chain incident and urging users to revoke permissions to prevent further losses.
CoinDesk reports:

A security incident occurred on Arbitrum involving Stake DAO, where the attacker allegedly obtained the protocol deployer’s private key, modified the LayerZero v2 endpoint configuration for vsdCRV, and then forged cross-chain messages to trigger a large-scale abnormal minting event.

The attack path targets private keys and cross-chain configurations.

According to the disclosure, the issue stemmed from the cross-chain communication configuration of vsdCRV. The attacker modified the endpoint address of LayerZero v2 to a controlled target and constructed a malicious cross-chain message, causing the contract to mint approximately 5.44 trillion vsdCRV tokens directly to their wallet without additional restrictions.

These attacks are not carried out by purchasing on public markets, but rather by directly exploiting protocol permissions and cross-chain message verification processes to create a large supply of tokens that should not exist.

Some tokens have been redeemed and transferred to Ethereum.

Blockchain security firm Blockaid stated that the attackers have sold a portion of the tokens, acquiring approximately 43.78 ETH, and bridged the funds back to the Ethereum mainnet. This indicates that the associated assets have begun cross-chain transfers, potentially increasing the difficulty of subsequent tracking and freezing.

  • The attack occurred on the Arbitrum network.
  • The token involved is vsdCRV from Stake DAO.
  • A portion of the funds has been converted to approximately 43.78 ETH

In the team investigation, users were reminded to revoke authorization.

The Stake DAO team is still investigating the incident, with a focus on how the private key may have been compromised, when configuration changes occurred, and whether any other contracts or assets were affected.

During the investigation, users have been advised to revoke related authorizations as soon as possible to mitigate subsequent risks. For DeFi protocols, once permissions or cross-chain configurations are compromised, the impact often rapidly spreads from a single contract to fund transfers and liquidity levels.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.