# Stake DAO 正面臨與其 Arbitrum 上 vsdCRV 代幣相關的持續攻擊。 *web3 · news · 2026-05-27 · Crypto News* ## Key points - 攻擊者利用被入侵的部署者金鑰,在 Arbitrum 上鑄造了超過 5.4 兆 vsdCRV 代幣。 - 攻擊者重新配置了 LayerZero v2 OFT 節點,將信任重定向至惡意合約。 - 至少有 43.78 ETH 從攻擊中橋接至以太坊,損失數字仍在變動中。 - Stake DAO 與 Wasabi Protocol 事件均源自特權金鑰被入侵,而非市場操控。 - 近期 DeFi 駭客事件越來越多與跨鏈代幣風險及橋接漏洞有關。 Stake DAO is facing an ongoing exploit tied to its vsdCRV token on Arbitrum. Blockchain security firm Blockaid said an attacker minted more than 5.4 trillion vsdCRV and began swapping the tokens for ETH. Stake DAO confirmed it was aware of the situation and told users not to interact with vsdCRV. The project’s warning came as researchers continued tracking the attacker’s activity across Arbitrum and Ethereum. vsdCRV, or vote-boosted sdCRV, is tied to the Curve Finance ecosystem and used within Stake DAO’s yield products. The token became the center of the incident after the attacker allegedly gained enough control to mint a huge supply. PeckShield said part of the minted funds had already been swapped for 43.78 ETH, worth about $91,000, and bridged to Ethereum. The incident remains a developing story, and final loss figures may change as more transactions are traced. Researchers point to deployer key compromise Blockaid said the suspected root cause was a compromised Stake DAO deployer private key. According to the firm, the attacker used that access to reconfigure the LayerZero v2 OFT peer for the vsdCRV token contract. That change allegedly redirected trust from the legitimate Ethereum-side adapter to a malicious contract controlled by the attacker. The attacker then sent a forged cross-chain message that triggered the minting of roughly 5.44 trillion vsdCRV. BlockSec described the attack as a case where the attacker appeared to obtain the deployer’s private key and set an arbitrary peer for vsdCRV. The firm said the forged message then caused unconditional minting to the attacker’s address. The incident shows how privileged access remains a major risk in DeFi. Even when smart contract code works as designed, a compromised deployer key can give attackers the ability to change trusted settings and trigger losses. DeFi security concerns deepen The Stake DAO exploit follows a series of recent DeFi incidents. As previously reported by crypto.news, OpenZeppelin co-founder Manuel Aráoz said he now considers “all of DeFi” unsafe and has advised friends and family to exit DeFi positions. Aráoz argued that coding agents are becoming strong tools for finding vulnerabilities, while defenders still need to fix every weakness before attackers find one. His comments came as DeFi protocols lost about $629.7 million to hacks in April. Separately, Wasabi Protocol lost more than $5 million across Ethereum, Base, Berachain, and Blast after a compromised admin key allowed attackers to upgrade contracts and drain funds. That case resembles the current Stake DAO concern because both incidents involved privileged key access rather than a simple market manipulation event. Wasabi also warned users not to interact with its contracts while the team investigated. Cross-chain risks remain in focus The Stake DAO incident also points back to cross-chain token risks. Security reports have tracked repeated attacks involving bridges, peer settings, and message validation across chains in 2026. BlockSec’s May security roundup listed multiple incidents across Ethereum, Sui, BNB Chain, Base, Blast, and Berachain, with total losses of about $15.9 million over a two-week period. Its blog also identified Wasabi as a key-compromise case. **Companies:** Stake DAO, Blockaid, PeckShield, BlockSec [Read the full story on Crypto News](https://crypto.news/defi-exploit-hits-stake-dao-as-attacker-swaps-vsdcrv-for-eth/) --- Canonical: https://newsio.io/zh-TW/n/6722954e-93a6-425e-ac18-a52a55f94673/stake-dao-arbitrum-vsdcrv-5-4-vsdcrv-eth Summarized by Newsio from Crypto News. https://newsio.io/how-it-works