A security incident has affected StakeDAO’s infrastructure on Arbitrum, with researchers identifying abnormal activity tied to its vsdCRV contract. The exploit is linked to a suspected infinite minting vulnerability that may have allowed the creation of an extremely large supply of synthetic staking tokens, reportedly around 5.4 trillion vsdCRV units. Early tracking also suggests that roughly $91,000 in funds were drained during the incident. The activity was first detected through unusual on-chain behavior involving staking derivatives connected to Curve-based liquidity positions. https://twitter.com/StakeDAOHQ/status/2059586800255910039?s=20 The irregular token movements did not match expected reward distribution patterns, prompting a closer review of the contract architecture. Exploit centres on vsdCRV minting and vault logic The affected system is StakeDAO’s vsdCRV mechanism, a liquid staking derivative tied to Curve Finance positions. In this setup, users deposit CRV or CRV-linked assets and receive vsdCRV tokens representing their share of staking power and rewards. According to on-chain analysis, the vulnerability appears to stem from the token minting and accounting framework used by the contract deployed on Arbitrum. Researchers believe the flaw may have created an “infinite mint” scenario in which the protocol failed to properly restrict token issuance. This type of vulnerability can emerge when supply calculations depend on manipulable variables such as share balances or reward indexes. In this case, the attacker is believed to have exploited the weakness to inflate the vsdCRV supply dramatically, with estimates pointing to a minting event involving approximately 5.4 trillion tokens. https://twitter.com/blockaid_/status/2059580455096123446?s=20 Once the inflated balance was created, it may have been used to extract value from the vault system or distort the protocol’s reward distribution process. The incident does not appear to be related to a private key compromise or wallet-level attack. Instead, preliminary analysis points to a failure in the smart contract’s internal accounting, where the system may have incorrectly validated minting conditions under specific transaction states. Funds drained while the exploit remains under monitoring Alongside the token inflation event, blockchain activity indicates that approximately $91,000 in assets were moved out of affected positions during the exploit window. The outflows suggest the attacker was able to convert the manipulated vsdCRV balance into transferable value before the anomaly was contained. The exploit was identified while activity was still ongoing, with researchers continuing to monitor contract interactions in real time. The incident remains under investigation as analysts work to determine the full scope of exposure. The activity has been concentrated on Arbitrum, where StakeDAO’s deployment interacts with Curve-related liquidity infrastructure. The combination of staking derivatives and automated reward systems has complicated efforts to immediately isolate the full impact, particularly while transactions continue propagating through DeFi liquidity pools. Preliminary findings point to accounting failure Preliminary findings suggest the core issue lies in how the contract calculates minting rights for vsdCRV. In systems like this, minting is typically tied to a ratio between deposited assets and issued shares. If that ratio can be manipulated through edge-case interactions or misconfigured state updates, it can create an opening for disproportionate token issuance. Once the attacker triggered the flaw, the contract appears to have accepted an invalid state transition that enabled excessive token creation. The inflated balance then disrupted the internal accounting framework used by the vault system. This type of exploit is commonly associated with DeFi protocols that rely heavily on share-based accounting models without strict invariant enforcement. When those safeguards fail, the system can incorrectly treat artificially created tokens as legitimate staking power. The post Arbitrum-based StakeDAO contract hit by 5.4T vsdCRV exploit appeared first on Invezz
