Longtime DeFi platform Stake DAO has become the latest victim in an increasingly worrying run of DeFi hacks.
In what appears to be a private key compromise, an attacker was able to mint 5.4 trillion of the project’s vsdCRV tokens on the Arbitrum network.
Blockchain monitoring firm Blockaid explains that an attacker used the compromised deployer to reconfigure the token’s LayerZero OFT contract to grant minting authority to an “attacker-deployed malicious contract.”
— Defimon Alerts (@DefimonAlerts) May 27, 2026
@StakeDAOHQ deployer private key compromised on Arbitrum.
Attacker minted 5,446,744,073,709 vsdCRV and now is swapping to ETH via Metamask Router.
Attacker: https://t.co/6OR2kozDbb
Mint TX: https://t.co/e6BUSHGek6
LZ setPeer TX: https://t.co/tfrrWymcvk pic.twitter.com/bfnMMu4uIf
Read more: Bridge hacks back in vogue as Verus exploit brings 2026 total to $329M
The hacker swapped a portion of the tokens, a yield-bearing, wrapped version of Curve Finance’s CRV, for a total of 44 ETH. After presumably depleting on-chain liquidity, the approximately $91,000 of total profit was then bridged back to Ethereum.
The project posted to X that it is “aware of the ongoing situation,” urging users not to interact with csdCRV. Additionally, Curve Finance advised its users to exit LlamaLend positions involving asdCRV to avoid the risk of liquidation.
Launched in 2021, Stake DAO has weathered DeFi’s stormy seas for over five years. But this isn’t the first time it has faced trouble.
On March 12 this year, the platform’s Votemarket rewards program was attacked via a “peripheral oracle update mechanism.” Most of the $175,000 stolen on Arbitrum and Base was later returned.
Read more: Polymarket exploited for $700K in private key hack
Crisis of confidence in DeFi security
Today’s Stake DAO hack comes amidst a heated, ongoing debate over DeFi security in the age of AI.
Hours before the hack, Manuel Aráoz, co-founder of OpenZeppelin, posted to X that he considers all of DeFi “unsafe.”
Read more: DeFi sector in $14B meltdown as $290M rsETH hack fallout burns Aave
OpenZeppelin, founded in 2015, provides secure standards for smart contracts for use in DeFi applications and audit services for projects. But Aráoz believes that “superhuman” coding agents put even “low-risk ‘blue chips’ like Aave, MakerDAO & Compound” at risk.
However, former Aave delegate Marc Zeller calls Aráoz’ post “moronic.” He argues that the majority of DeFi losses are down to “bad parameter configuration, collateral blow up and poor opsec,” rather than smart contract exploits.
Pseudonymous Yearn developer banteg agrees that DeFi’s asymmetric security landscape means “one small mistake is enough to kill you.” However, they agree that recent hacks are dominated by “privileged role or key compromises or configuration errors.”
Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
The post Stake DAO hit by hack as DeFi security confidence hits new low appeared first on Protos.
