DeFi voltou a explodir! Chave privada do implantador do StakeDAO vazou, o atacante está forjando 5,4 trilhões de vsdCRV no Arbitrum do nada e trocando por ETH

Blockchain security company Blockaid detected that Stake DAO on Arbitrum is under attack, with the attacker exploiting a leaked deployer private key to mint over 5.4 trillion vsdCRV (Vote Boosted sdCRV) tokens via the LayerZero v2 OFT cross-chain protocol out of thin air, and is currently exchanging them for ETH. Blockaid indicated that the suspected root cause is the private key leak, and the attack is ongoing.
（Background: OpenZeppelin co-founder called for all DeFi to be abandoned: AI has disrupted the balance of attack and defense, even blue-chip Aave is unsafe）
（Additional background: Kelp DAO announced full recovery of rsETH: stolen 293 million dollars by North Korean hackers 5 weeks ago）

Key Summary

• StakeDAO deployer private key hacked, attacker minted over 5.4 trillion vsdCRV and exchanged for ETH on Arbitrum
• Attack method: exploiting leaked private key to reconfigure LayerZero v2 OFT cross-chain peer nodes, redirecting trust to malicious contract

Blockchain security company Blockaid issued an alert, detecting that DeFi yield protocol Stake DAO on Arbitrum is under ongoing attack. The attacker minted over 5.4 trillion vsdCRV (Vote Boosted sdCRV) tokens and is in the process of exchanging them for ETH.

Blockaid determined that the root cause was the StakeDAO deployer private key (0x000755F…1ff62) being leaked. After obtaining the private key, the attacker called the setPeer function on the vsdCRV token contract to reconfigure the LayerZero v2 OFT (Omnichain Fungible Token) cross-chain peer node settings, redirecting the trust relationship from the legitimate vsdCRVOFTAdapter on the Ethereum mainnet to a malicious contract deployed by the attacker. After completing the trust redirection, the attacker performed cross-chain minting on Arbitrum, creating a large amount of vsdCRV out of thin air and starting to sell.

Another LayerZero-related cross-chain vulnerability

This is not the first time this year that LayerZero’s cross-chain architecture has become an attack vector. In April, Kelp DAO was hacked by North Korean hackers, stealing 293 million USD, exploiting weaknesses in LayerZero’s cross-chain verification mechanism. The difference is that Kelp DAO’s single point verifier in the DVN (Decentralized Verification Network) was compromised, whereas StakeDAO’s private key itself was leaked, allowing the attacker to directly modify contract settings.

StakeDAO’s vsdCRV is a governance token in the Curve ecosystem, allowing sdCRV holders to boost voting power via delegated veSDT. The attack is still ongoing, and the final loss amount depends on how much ETH the attacker can extract from liquidity pools.

Blockaid urges all users to suspend all StakeDAO-related operations.

Today, OpenZeppelin co-founder Manuel Araoz publicly stated, “All DeFi is unsafe,” and the private key leak of StakeDAO’s deployer further confirms his judgment.

Frequently Asked Questions

What is the method of this StakeDAO attack?

After obtaining the StakeDAO deployer’s private key, the attacker used the permission to reconfigure the LayerZero v2 OFT cross-chain contract’s peer nodes (setPeer), redirecting trust from the legitimate Ethereum contract to a malicious one, then minted over 5.4 trillion vsdCRV on Arbitrum out of thin air and exchanged for ETH.

What is vsdCRV?

vsdCRV is the “Vote Boosted sdCRV” token of Stake DAO, part of the Curve ecosystem governance system. Holders can delegate veSDT to increase voting weight, used for Curve-related liquidity incentive voting. The minted tokens are the cross-chain version on Arbitrum.