The Stake DAO exploit on Wednesday compromised the protocol’s Arbitrum deployer key. An attacker minted roughly 5.4 trillion fake Vote-Boosted sdCRV (vsdCRV) tokens before swapping them for ether through a public router.
The breach bypassed every smart-contract control in place. A single private key with privileged rights has driven hundreds of millions in DeFi losses this year.
How the Stake DAO exploit happened
On-chain alerts from Blockaid traced the breach to a Stake DAO deployer wallet. The attacker used the key to reset the LayerZero v2 bridge peer for vsdCRV.
Roughly 25 seconds later, a forged cross-chain message minted 5.4 trillion vsdCRV on Arbitrum.
The attacker dumped the tokens for ether through MetaMask’s public router. No smart-contract flaw was found.
Notably, a recent LayerZero exploit on KelpDAO occured through similar peer-configuration abuse.
A Familiar Pattern of Key Compromises
The Stake DAO exploit follows the same template as April’s Wasabi Protocol drain. A compromised deployer wallet pulled around $4.5 million from vaults on four chains.
Drift Protocol lost $285 million on Solana that same month. Arbitrum’s KelpDAO freeze followed a $292 million bridge exploit weeks later.
Each protocol had passed audits. The failure sat above the code, in the keys that set bridge peers or upgrade implementations. Resolv’s $80 million mint earlier this year fit the same mold
“The question DeFi has to answer in 2026 is no longer whether protocols get audited, because almost all of them do. It is whether the small set of operational keys behind those audited contracts… are still allowed to live as a single object on a single laptop,” Sodot co-founder Shalev Keren told BeInCrypto, adding that audits no longer answer the central question.
For Stake DAO and its peers, multisig wallet protections need to sit between deployer keys and forged mints. Otherwise, the next DeFi platform compromise will trace back to a single laptop, not bad code.
