coin-img-ETHETH-3.06%coin-img-BTCBTC-3.10%coin-img-HYPEHYPE-6.72%coin-img-SOLSOL-2.21%coin-img-XRPXRP-2.72%coin-img-USDCUSDC+0.06%coin-img-TRXTRX-0.75%coin-img-NEARNEAR-11.60%coin-img-ETHETH-3.06%coin-img-BTCBTC-3.10%coin-img-HYPEHYPE-6.72%coin-img-SOLSOL-2.21%coin-img-XRPXRP-2.72%coin-img-USDCUSDC+0.06%coin-img-TRXTRX-0.75%coin-img-NEARNEAR-11.60%coin-img-ETHETH-3.06%coin-img-BTCBTC-3.10%coin-img-HYPEHYPE-6.72%coin-img-SOLSOL-2.21%coin-img-XRPXRP-2.72%coin-img-USDCUSDC+0.06%coin-img-TRXTRX-0.75%coin-img-NEARNEAR-11.60%coin-img-ETHETH-3.06%coin-img-BTCBTC-3.10%coin-img-HYPEHYPE-6.72%coin-img-SOLSOL-2.21%coin-img-XRPXRP-2.72%coin-img-USDCUSDC+0.06%coin-img-TRXTRX-0.75%coin-img-NEARNEAR-11.60%

Stake DAO Hack Exposes DeFi's Single-Key Security Weakness

Stake DAO suffered an exploit on Wednesday after its Arbitrum deployer key was compromised, allowing an attacker to mint about 5.4 trillion counterfeit VoteBoosted sdCRV (vsdCRV) tokens and swap them into ether via a public router. The incident effectively sidestepped all on-chain controls, underscoring how a single privileged private key continues to drive DeFi losses that have reached the hundreds of millions this year. On-chain monitoring firm Blockaid said its alerts traced the breach to a Stake DAO deployer wallet. Using the stolen key, the attacker reset the LayerZero v2 bridge peer for vsdCRV. About 25 seconds later, a forged cross-chain message triggered the minting of 5.4 trillion vsdCRV on Arbitrum. The attacker then sold the tokens for ETH through MetaMask's public router. Investigators did not identify a smart contract vulnerability. The mechanism mirrors a recent LayerZero-related incident involving KelpDAO, where peer configuration was similarly abused. The event also fits a broader pattern of key-compromise incidents. In April, Wasabi Protocol was drained after a deployer wallet was compromised, with roughly $4.5 million pulled from vaults across four chains. That same month, Drift Protocol suffered losses of $285 million on Solana. Arbitrum's KelpDAO later froze activity following a $292 million bridge exploit weeks afterward. In each case, the protocols had passed audits; the weak point was operational control of keys that can set bridge peers or upgrade implementations. Resolv's $80 million unauthorized mint earlier this year followed the same playbook. "The question DeFi has to answer in 2026 is no longer whether protocols get audited, because almost all of them do. It is whether the small set of operational keys behind those audited contracts... are still allowed to live as a single object on a single laptop," Sodot cofounder Shalev Keren told BeInCrypto, arguing that audits no longer address the core risk. For Stake DAO and similar projects, the takeaway is structural: multisig safeguards need to sit between deployer keys and any pathway that can enable forged mints. Otherwise, the next major DeFi compromise is likely to trace back to a single laptop, not faulty code.
Selected
ARB
ARB-3.40%
ETH
ETH-3.22%
Disclaimer: The content above is only the author's opinion and does not represent BingX’s stance. It shall not be construed as investment advice from BingX. For details, refer to the Terms and Conditions.