# Stake DAO 成為日益令人擔憂的 DeFi 駭客事件中的最新受害者。 *web3 · news · 2026-05-27 · Protos* ## Key points - Stake DAO 遭遇私鑰外洩,攻擊者得以鑄造 5.4 兆 vsdCRV 代幣。 - 攻擊者利用被竊取的部署者權限重新配置 LayerZero OFT 合約,獲得惡意鑄造授權。 - 攻擊者透過代幣交換獲利 44 ETH,並將約 9.1 萬美元橋接回以太坊。 - Curve Finance 建議用戶退出涉及 asdCRV 的 LlamaLend 持倉,以避免清算風險。 - 近期包括 Stake DAO 在內的 DeFi 駭客事件,主要源自特權私鑰外洩及配置錯誤。 Longtime DeFi platform Stake DAO has become the latest victim in an increasingly worrying run of DeFi hacks. In what appears to be a private key compromise, an attacker was able to mint 5.4 trillion of the project’s vsdCRV tokens on the Arbitrum network. Blockchain monitoring firm Blockaid explains that an attacker used the compromised deployer to reconfigure the token’s LayerZero OFT contract to grant minting authority to an “attacker-deployed malicious contract.” Read more: Bridge hacks back in vogue as Verus exploit brings 2026 total to $329M The hacker swapped a portion of the tokens, a yield-bearing, wrapped version of Curve Finance’s CRV, for a total of 44 ETH. After presumably depleting on-chain liquidity, the approximately $91,000 of total profit was then bridged back to Ethereum. The project posted to X that it is “aware of the ongoing situation,” urging users not to interact with csdCRV. Additionally, Curve Finance advised its users to exit LlamaLend positions involving asdCRV to avoid the risk of liquidation. Launched in 2021, Stake DAO has weathered DeFi’s stormy seas for over five years. But this isn’t the first time it has faced trouble. On March 12 this year, the platform’s Votemarket rewards program was attacked via a “peripheral oracle update mechanism.” Most of the $175,000 stolen on Arbitrum and Base was later returned. Read more: Polymarket exploited for $700K in private key hack Crisis of confidence in DeFi security Today’s Stake DAO hack comes amidst a heated, ongoing debate over DeFi security in the age of AI. Hours before the hack, Manuel Aráoz, co-founder of OpenZeppelin, posted to X that he considers all of DeFi “unsafe.” Read more: DeFi sector in $14B meltdown as $290M rsETH hack fallout burns Aave OpenZeppelin, founded in 2015, provides secure standards for smart contracts for use in DeFi applications and audit services for projects. But Aráoz believes that “superhuman” coding agents put even “low-risk ‘blue chips’ like Aave, MakerDAO & Compound” at risk. However, former Aave delegate Marc Zeller calls Aráoz’ post “moronic.” He argues that the majority of DeFi losses are down to “bad parameter configuration, collateral blow up and poor opsec,” rather than smart contract exploits. Pseudonymous Yearn developer banteg agrees that DeFi’s asymmetric security landscape means “one small mistake is enough to kill you.” However, they agree that recent hacks are dominated by “privileged role or key compromises or configuration errors.” **Companies:** Stake DAO, Curve Finance, Blockaid, OpenZeppelin [Read the full story on Protos](https://protos.com/stake-dao-hit-by-hack-as-defi-security-confidence-hits-new-low/) --- Canonical: https://newsio.io/zh-TW/n/4ff11da6-ab8b-48d7-b530-e3cdce0ee79c/stake-dao-defi-5-4-vsdcrv Summarized by Newsio from Protos. https://newsio.io/how-it-works