5.4 trillion vsdCRV minted on Arbitrum in a single transaction
The attacker obtained the private key of the Stake DAO implementer
An attacker compromised the private key of the Stake DAO implementer and minted 5.4 billion vsdCRV tokens on the Arbitrum network on Wednesday, May 27. According to reports, the hacker had already exchanged USD 100,000, the equivalent of just over 43 ETH.
According to security firm BlockSec, the attacker established an arbitrary pair for vsdCRV and forged a malicious message that allowed the unconditional minting of tokens in your direction.
Security firm PeckShield reported that part of the tokens have already been exchanged for 43.78 ETH, equivalent to approximately $91,000, and bridged. to the Ethereum mainnet via address 0xeF3C…aa25. Blockaid also confirmed on X that the attacker continues to actively trade the tokens for ether.
Stake DAO is a DeFi platform specialized in automated yield strategies. The vsdCRV token—acronym for vote-boosted sdCRV— is a derivative linked to the Curve Finance ecosystem. Its function within the protocol makes it a sensitive asset for users who deposit liquidity on the platform.
Given the situation, Stake DAO confirmed being aware of the incident and urged its users not to interact with vsdCRV until further notice, as published by the organization on its X account.
One more link in the worst streak of DeFi hacks of the year
According to the monthly report of the security firm CDSecurity, April recorded more than 30 incidents in protocols DeFi with losses close to 635 million dollars, a figure that represented 78% of the total stolen in the cryptocurrency ecosystem so far in 2026, as reported by CriptoNoticias. The Stake DAO exploit occurs just four weeks after that peak, and extends a streak that already exceeds $600 million since that date, led by the Kelp DAO vulnerability, which amounted to $292 million.
Although details of the hack and how it operated have not been given, the current trend raises questions about the use of AI. In this context, Charles Guillemet, chief technology officer at Ledger, warned that artificial intelligence is reducing the cost and time needed to develop exploits. The day before the Stake DAO incident, Manuel Aráoz, founder of OpenZeppelin—a reference firm in smart contract audits— stated that he considers “the entire DeFi ecosystem insecure”citing the growing asymmetry between attackers and defenders.
According to Guillemet, asking a language model to analyze security differences between two versions of a program and generate an exploit is today faster, cheaper and more efficient than any previous method. Araoz points out that this advantage widens because defenders fail to scale their capabilities at the same pace as offensive tools.