What happened in the StakeDAO exploit?

StakeDAO suffered an exploit that allowed an attacker to mint about 5.4 trillion vsdCRV tokens. Despite the enormous token supply created, the exploiter only extracted roughly $91,000 because liquidity in the token market was extremely limited.

Why couldn’t the attacker cash out the full value of the minted tokens?

Most of the 5.4 trillion vsdCRV tokens had little or no market liquidity available for selling. In decentralised finance, attackers can sometimes mint massive token amounts on paper, but actual profits depend on how much liquidity exists in trading pools.

How much money did the attacker actually steal?

Blockchain security firm PeckShield said the attacker swapped some tokens for about 43.7 Ether worth around $91,000 before bridging the funds to Ethereum.

Was the exploit caused by a smart contract bug?

No, analysts said the exploit was not caused by a flaw in the smart contracts or the LayerZero protocol. Instead, the incident reportedly stemmed from a compromised deployer key controlling critical bridge configuration functions.

What is a deployer key in DeFi?

A deployer key is a privileged administrative key used to manage or update smart contract systems. If compromised, attackers can sometimes redirect configurations, mint tokens or gain control over protocol infrastructure.

Why are deployer-key exploits dangerous?

Single privileged keys can become central points of failure in decentralised finance systems. Without safeguards such as multi-signature approvals or time delays, attackers may quickly execute unauthorised changes if a key is compromised.

What role did LayerZero play in the exploit?

According to security researchers, LayerZero itself was not vulnerable. The attacker allegedly used a compromised key to redirect StakeDAO’s cross-chain bridge settings to a malicious contract.

Why was the exploit’s theoretical value so large?

Onchain analyst EmberCN estimated the minted tokens briefly represented about $763 billion in theoretical value based on token pricing. However, that figure did not reflect real extractable market value because the liquidity pools were too small.

Image for illustrative purposes only. Not a real photo.

StakeDAO exploit mints trillions but nets $91K

Written by Heidi Cuthbert Published May 28, 2026, 4:13 AM

StakeDAO suffered an exploit that allowed an attacker to mint roughly 5.4 trillion vsdCRV tokens, though the exploiter only managed to extract about $91,000 worth of crypto.

Blockchain security firm PeckShield said the attacker swapped part of the minted tokens for 43.7 Ether before bridging the funds to Ethereum.

Onchain analyst EmberCN estimated the tokens briefly represented a theoretical value of about $763 billion, though most of the minted supply could not be sold because liquidity in vsdCRV markets was extremely limited.

The exploit reportedly occurred after a compromised deployer key was used to redirect StakeDAO’s cross-chain bridge configuration on Arbitrum to an attacker-controlled contract on Ethereum.

“There is no smart contract bug here and no flaw in LayerZero,”

Said Shalev Keren, who added that the exploit stemmed from a single privileged key controlling critical bridge configuration functions.

Keren said the attack closely resembled recent deployer-key compromises affecting decentralised finance protocols, including the Wasabi exploit that resulted in roughly $5.5 million in losses earlier this year.

The incident has renewed concerns across the DeFi sector over operational security and centralised key management as protocols continue relying on privileged access systems without multi-signature controls or time delays.

At the time of reporting, Ethereum price was $1,978.47.