Wednesday’s Stake DAO exploit led to the protocol’s Arbitrum publishing key being compromised. An attacker minted approximately 5.4 trillion fake vote-enhancing sdCRV (vsdCRV) tokens before exchanging them for ether via a public router.
The breach bypassed all applicable smart contract controls. A single private key with privileged rights has led to hundreds of millions worth of losses in DeFi this year.
How the Stake DAO Exploit Happened
Cross-chain alerts from Blockaid traced the hack to the Stake DAO publishing wallet. The attacker used the key to reset vsdCRV’s LayerZero v2 bridge peer.
About 25 seconds later, a forged chain message worth 5.4 trillion vsdCRV was minted on Arbitrum.
The attacker dropped ether tokens Through MetaMask’s public router. No defect was found in the smart contract.
It is worth noting that A LayerZero’s latest exploit on KelpDAO through similar abuse of peering.
Familiar pattern of major concessions
The Stake DAO exploit follows the same template as Wasabi protocol depletion for april. The publisher’s hacked wallet pulled about $4.5 million from vaults on four chains.
Drift Protocol lost $285 million on Solana in the same month. Freeze Arbitrum’s KelpDAO A $292 million bridge exploit followed weeks later.
Each protocol has passed audits. The failure was located above the code, in the switches that define bridge peers or upgrade applications. Resolv, a $80 million company Earlier this year she fit the same mold
“The question DeFi must answer in 2026 is no longer whether protocols will be audited, because almost all of them are. Rather, it is whether the small set of operational keys behind those audited contracts… are still allowed to live as a single object on a single laptop,” Shalev Keren, co-founder of Sodot, told BeInCrypto, adding that audits no longer answer the central question.
For Stake DAO and its peers, Multisig wallet protection Needed to sit between the diffuser and forged mint keys. Otherwise, the next one DeFi platform settlement Will go back to one laptop, not bad code.
this post Stake DAO exploit shows why “auditable” doesn’t mean safe in DeFi appeared first on BeInCrypto.
