A compromised private key let an attacker forge a cross-chain message on Arbitrum, triggering cascading warnings across Curve Finance and Beefy Finance.
A hacker compromised StakeDAO’s deployer private key on Wednesday, minting 5.4 trillion vsdCRV tokens on Arbitrum and swapping a portion for roughly $91,000 worth of ETH, an attack that rippled into Curve Finance’s lending market and forced yield optimizer Beefy Finance to pause an affected vault.
StakeDAO, a DeFi protocol with $131 million in total value locked that allows users to earn boosted yields on Curve Finance liquidity pools through locked CRV positions, warned users to stop interacting with vsdCRV immediately following the incident. The protocol has not disclosed the total value of assets at risk or a timeline for remediation.
StakeDAO’s SDT governance token fell approximately 6.6% in the 24 hours surrounding the incident, according to CoinMarketCap data, with trading volume in SDT spiking more than 400%, per CoinGecko.
Attack Mechanics
According to web3 security firm Blockaid, which first flagged the attack, the attacker used a stolen key to tamper with StakeDAO’s vsdCRV token contract, which relies on LayerZero to validate mint instructions. By replacing the legitimate authorized address with one they controlled, the attacker could issue their own mint commands.
The attacker used the stolen key to replace the legitimate authorized address on StakeDAO’s vsdCRV contract with one they controlled, then sent a forged instruction that minted 5,446,744,073,709 vsdCRV on Arbitrum, tokens backed by nothing.
Blockchain security firm PeckShield reported the exploiter converted part of those tokens into 43.78 ETH, worth approximately $91,170 at the time of the exploit, and bridged the proceeds to Ethereum address 0xeF3C…aa25.
Same LayerZero Playbook
The attack follows a pattern that’s become common in recent months: attackers abusing LayerZero’s Omnichain Fungible Token (OFT) cross-chain token standard by manipulating peer configurations to forge mint events on destination chains.
In April, a similar architectural weakness in Kelp DAO’s LayerZero bridge allowed attackers to drain $290 million in rsETH. In that case, LayerZero later acknowledged it had made a mistake in its verifier configuration.
In the StakeDAO case, Blockaid said the suspected root cause was a compromised private key rather than a verifier configuration flaw, but the exploit path also consisted of forging a trusted cross-chain message and triggering an unbacked mint.
The LayerZero OFT standard allows tokens to move across blockchains by burning on one chain and minting on another. The system relies on peer configurations — trusted addresses registered on each chain — to validate whether a mint instruction is legitimate. If a deployer key controlling those configurations is compromised, an attacker can silently swap in a malicious peer and instruct it to authorize an unlimited mint.
Curve and Beefy
The fallout extended beyond StakeDAO. Curve Finance warned users with deposits or loans in the asdCRV LlamaLend market on Arbitrum to exit immediately. While the market itself remained functional, Curve said the vsdCRV exploit could destabilize its price oracle and trigger unexpected liquidations.
Beefy Finance, a multichain yield optimizer, separately disclosed that its Arbitrum Convex CRV/csdCRV/asdCRV vault was hit. Beefy said it paused the vault and was coordinating with StakeDAO, Curve, and Convex on potential recovery plans.
What Comes Next
The on-chain forensics are documented publicly: Blockaid has published the malicious peer deployment transaction, the cross-chain mint transaction, the setPeer transaction on Arbitrum, and the mint transaction on Arbitrum. StakeDAO has not confirmed whether the compromised deployer key has been rotated or when affected contracts will be redeployed.
April was already DeFi’s worst month on record for exploits, with $635 million stolen across 28 incidents. The StakeDAO hack adds to a growing string of attacks targeting cross-chain infrastructure in 2026.
