Skip to main content
Sign in
StakeDAO1 decision on this page

Audit log

Every state-changing event for StakeDAO: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-30 17:25:57Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 429,922,523
    sig
    2fMHcu2MUv2e…2YxJi6Ayexplorer ↗
    hash
    9Rq9Wb1qMZCW…qJLeCtpysha256 → base58
    verifying row…full verify ↗
    canonical bytes (20214 B) ▸
    {"actor":"system:backfill","investigation_id":"e045ecc6-65b7-40c1-9c52-77ca12ab20a3","kind":"publish","page_slug":"stakedao","published_at":"2026-06-30T17:25:56.924Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"StakeDAO","sections":[{"content":"StakeDAO (token: SDT) is a non-custodial DeFi protocol launched in January 2021 on Ethereum. It operates as a governance aggregator and yield optimizer, offering liquid lockers for governance tokens (particularly Curve's CRV and veCRV), automated yield strategies, and a governance marketplace called Votemarket. The protocol's primary product, sdCRV, allows users to lock CRV and receive a liquid representation while StakeDAO accumulates voting power in the Curve ecosystem — a dynamic that became central to the broader 'Curve Wars' among protocols seeking control over Curve's gauge emissions. StakeDAO also operates vsdCRV (Vote Boosted sdCRV), a cross-chain variant bridged to Arbitrum via LayerZero v2 OFT infrastructure. Additional products include Boosted yield vaults, lending positions on Morpho, and stablecoin strategies. The SDT governance token had its initial airdrop in January 2021, with 36% of supply allocated to initial contributors and investors vested over two years.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":1,"name":"Stake DAO Official Documentation","type":"official","url":"https://docs.stakedao.org/whitepapers"},{"credibility":1,"name":"Stake DAO SDT Token Documentation","type":"official","url":"https://docs.stakedao.org/sdt"},{"credibility":1,"name":"Stake DAO Progress Report Q3 2021","type":"official","url":"https://stakedaohq.medium.com/stake-dao-progress-report-q3-2021-6e16cbb7acee"}]},{"content":"On May 27, 2026, an attacker compromised the StakeDAO deployer private key associated with address 0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62. The attacker used this key to execute a setPeer() transaction on the vsdCRV LayerZero v2 OFT (Omnichain Fungible Token) contract on Arbitrum at approximately 09:17:33 UTC. This transaction redirected the contract's cross-chain trust relationship from the legitimate Ethereum-side vsdCRVOFTAdapter to a malicious contract deployed by the attacker on Ethereum. Approximately 25 seconds later, the attacker's malicious Ethereum contract transmitted a forged LayerZero cross-chain message to Arbitrum. Because the OFT peer had been reconfigured to recognize the attacker-controlled contract as a trusted sender, the Arbitrum vsdCRV contract accepted the message and minted 5,446,744,073,709.551615 vsdCRV tokens directly from the zero address into the attacker's wallet. The attacker then executed approximately 28 swap transactions between 09:17 and 09:43 UTC, routing through Curve, KyberSwap, MetaMask Router, and Enso to convert a portion of the minted vsdCRV into ETH. The attacker extracted approximately 43.78 ETH, worth roughly $91,000 at time of exploit. Proceeds were subsequently bridged to Ethereum. The attacker had funded preparation wallets using Tornado Cash and used Relay and Stargate bridges to move assets between chains as part of the attack setup. Security firm Blockaid detected the active exploit and issued a public alert. The exploit was confirmed by multiple independent security researchers and covered by The Block, The Defiant, AMBCrypto, and other outlets.","heading":"May 2026 Deployer Key Compromise and vsdCRV Exploit","severity":"critical","sources":[{"credibility":1,"name":"Security researchers flag ongoing Stake DAO exploit after attacker mints trillions of vsdCRV — The Block","type":"news_article","url":"https://www.theblock.co/post/402719/security-researchers-flag-ongoing-stakedao-exploit-vsdcrv"},{"credibility":1,"name":"Hacker Mints 5.4 Trillion Tokens in StakeDAO Exploit, Nets $91K — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/hacker-mints-5-4-trillion-tokens-in-stakedao-exploit-nets-usd91k"},{"credibility":2,"name":"Compromised StakeDAO deployer key allegedly enabled forged LayerZero mint on Arbitrum — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/compromised-stakedao-deployer-key-allegedly-enabled-forged-layerzero-mint-on-arbitrum/"},{"credibility":2,"name":"Arbitrum-based StakeDAO contract hit by 5.4T vsdCRV exploit — Invezz","type":"news_article","url":"https://invezz.com/news/2026/05/27/arbitrum-based-stakedao-contract-hit-by-5-4t-vsdcrv-exploit/"},{"credibility":2,"name":"StakeDAO Hit by Major Exploit on Arbitrum via Compromised Deployer Key — Castle Crypto","type":"news_article","url":"https://castlecrypto.gg/news/stakedao-hit-by-major-exploit-on-arbitrum-via-compromised-deployer-key/"},{"credibility":2,"name":"How Stake DAO Was Exploited: Inside the 5.4 Trillion vsdCRV Minting Attack — Memeburn","type":"news_article","url":"https://memeburn.com/how-stake-dao-was-exploited-inside-the-5-4-trillion-vsdcrv-minting-attack/"}]},{"content":"Security researchers and commentators have characterized the root cause of the StakeDAO exploit as an operational security failure rather than a smart contract flaw or an infrastructure vulnerability in LayerZero. The deployer key at address 0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62 held unilateral authority to modify the LayerZero OFT peer configuration on the vsdCRV contract — a permission that could instantly alter which cross-chain senders the contract trusted to trigger minting events. No multisig approval was required for this configuration change, and no timelock delay existed between a setPeer() transaction and its immediate on-chain effect. Reports allege that the deployer key was operated as a hot key embedded in automated infrastructure, which, if confirmed, would represent a significant departure from industry best practices for admin key management. The entire attack sequence from bridge reconfiguration to final mint took approximately 25 seconds, reflecting the absence of any circuit breaker or emergency pause mechanism in the mint flow. Marc Zeller, a DeFi commentator, was cited noting that recent high-profile failures in the space stem primarily from operational security failures rather than smart contract code issues. As of the time of this report, StakeDAO has not published a full post-mortem, and key questions remain open: how exactly the deployer key was compromised, whether it was stored in a hardware wallet or as a hot key, and whether other StakeDAO contracts share a similar key management architecture.","heading":"Operational Security Failure: Deployer Key as Single Point of Failure","severity":"critical","sources":[{"credibility":2,"name":"Compromised StakeDAO deployer key allegedly enabled forged LayerZero mint on Arbitrum — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/compromised-stakedao-deployer-key-allegedly-enabled-forged-layerzero-mint-on-arbitrum/"},{"credibility":2,"name":"How Stake DAO Was Exploited: Inside the 5.4 Trillion vsdCRV Minting Attack — Memeburn","type":"news_article","url":"https://memeburn.com/how-stake-dao-was-exploited-inside-the-5-4-trillion-vsdcrv-minting-attack/"},{"credibility":2,"name":"Stake DAO Assures Users After vsdCRV Exploit and Bridge Shutdown — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/28/stake-dao-assures-users-after-vsdcrv-exploit-and-bridge-shutdown/"}]},{"content":"The StakeDAO exploit occurred within a broader context of LayerZero-related security incidents in early 2026. In April 2026, KelpDAO suffered an exploit of approximately $292 million attributed to a compromised 1-of-1 Decentralized Verifier Network (DVN) configuration on LayerZero's bridge infrastructure, an attack attributed by LayerZero to North Korea's Lazarus Group. LayerZero subsequently acknowledged it 'made a mistake' by permitting its DVN to act as a 1/1 configuration for high-value transactions. Research cited by MEXC indicated that approximately 47% of LayerZero-powered OApps were operating with the same vulnerable 1/1 DVN configuration. In the StakeDAO case, no LayerZero infrastructure flaw was involved — rather, the exploit leveraged the protocol's own privileged admin key to reconfigure bridge trust relationships. However, the incident illustrates a systemic risk in the LayerZero OFT model: any protocol that grants a single externally-owned account (EOA) or hot key the authority to call setPeer() can have its cross-chain trust relationships silently rerouted by any party who obtains that key, enabling arbitrary minting. This architectural property creates a class of risk that persists across any protocol using LayerZero OFT infrastructure with insufficiently protected admin keys.","heading":"LayerZero DVN Configuration as Systemic Risk","severity":"high","sources":[{"credibility":1,"name":"LayerZero says it 'made a mistake' in $292 Million Kelp exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/09/layerzero-says-it-made-a-mistake-in-usd292-million-kelp-exploit"},{"credibility":2,"name":"Kelp DAO blames LayerZero defaults for $290m rsETH bridge disaster — Crypto.news","type":"news_article","url":"https://crypto.news/kelp-dao-blames-layerzero-defaults-for-290m-rseth-bridge-disaster/"},{"credibility":2,"name":"47% of LayerZero OApps at Risk After $292M Kelp DAO Hack — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1051837"},{"credibility":2,"name":"How Stake DAO Was Exploited: Inside the 5.4 Trillion vsdCRV Minting Attack — Memeburn","type":"news_article","url":"https://memeburn.com/how-stake-dao-was-exploited-inside-the-5-4-trillion-vsdcrv-minting-attack/"}]},{"content":"Following the exploit, StakeDAO issued a public advisory urging all users to avoid interacting with vsdCRV tokens. The protocol confirmed that contributors quickly secured the vsdCRV backing on Ethereum mainnet before the attacker could seize those funds, preventing a larger loss. The vsdCRV bridge between Ethereum and Arbitrum was permanently shut down to contain further cross-chain minting risk. StakeDAO confirmed that its other core products — Boosted yields, Liquid Lockers, Votemarket, and Morpho lending — were unaffected by the exploit. Separately, the Arbitrum asdCRV Llamalend market was announced for sunset, with users directed to exit crvUSD deposits. Curve Finance independently warned users holding positions in asdCRV-related Llamalend markets to exit to avoid liquidation risk. StakeDAO stated that law enforcement and unnamed security partners are involved in the ongoing investigation. As of late June 2026, no full public post-mortem has been published. The total direct financial loss from the exploit was approximately $91,000 — modest relative to the scale of the minting event, primarily because available DEX liquidity for vsdCRV was insufficient to convert the majority of the inflated token supply into other assets.","heading":"StakeDAO Response and Damage Containment","severity":"medium","sources":[{"credibility":2,"name":"Stake DAO Assures Users After vsdCRV Exploit and Bridge Shutdown — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/28/stake-dao-assures-users-after-vsdcrv-exploit-and-bridge-shutdown/"},{"credibility":2,"name":"DeFi exploit hits Stake DAO as attacker swaps vsdCRV for ETH — Crypto.news","type":"news_article","url":"https://crypto.news/defi-exploit-hits-stake-dao-as-attacker-swaps-vsdcrv-for-eth/"},{"credibility":2,"name":"StakeDAO exploit creates 5.4 trillion vsdCRV but nets only $91K — TradingView/CoinTelegraph","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:c489f3d8c094b:0-stakedao-exploit-creates-5-4-trillion-vsdcrv-but-nets-only-91k/"}]},{"content":"As of late June 2026, StakeDAO has not published a formal post-mortem detailing how the deployer key was compromised, what infrastructure it was connected to, or what remediation steps have been taken to address other contracts under similar key management. This absence of disclosure is a transparency concern for users of the protocol. Key unanswered questions include: whether the deployer key was a hardware-wallet-protected key or a hot key stored in software or automated infrastructure; whether any other StakeDAO contracts currently grant privileged functions to EOAs rather than multisigs; whether a security audit covering key management architecture has been commissioned or planned; and what the timeline for any compensation or remediation for affected vsdCRV holders might be. The protocol's statement that law enforcement is involved does not constitute a substitute for technical disclosure of the root cause and remediation path.","heading":"Outstanding Disclosure and Transparency Concerns","severity":"high","sources":[{"credibility":2,"name":"Stake DAO Assures Users After vsdCRV Exploit and Bridge Shutdown — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/28/stake-dao-assures-users-after-vsdcrv-exploit-and-bridge-shutdown/"},{"credibility":2,"name":"How Stake DAO Was Exploited: Inside the 5.4 Trillion vsdCRV Minting Attack — Memeburn","type":"news_article","url":"https://memeburn.com/how-stake-dao-was-exploited-inside-the-5-4-trillion-vsdcrv-minting-attack/"}]}],"sources_used":[{"credibility":1,"name":"Security researchers flag ongoing Stake DAO exploit after attacker mints trillions of vsdCRV — The Block","type":"news_article","url":"https://www.theblock.co/post/402719/security-researchers-flag-ongoing-stakedao-exploit-vsdcrv"},{"credibility":1,"name":"Hacker Mints 5.4 Trillion Tokens in StakeDAO Exploit, Nets $91K — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/hacker-mints-5-4-trillion-tokens-in-stakedao-exploit-nets-usd91k"},{"credibility":1,"name":"LayerZero says it 'made a mistake' in $292 Million Kelp exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/09/layerzero-says-it-made-a-mistake-in-usd292-million-kelp-exploit"},{"credibility":1,"name":"LayerZero blames Kelp's setup for $290 million exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":2,"name":"Compromised StakeDAO deployer key allegedly enabled forged LayerZero mint on Arbitrum — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/compromised-stakedao-deployer-key-allegedly-enabled-forged-layerzero-mint-on-arbitrum/"},{"credibility":2,"name":"Arbitrum-based StakeDAO contract hit by 5.4T vsdCRV exploit — Invezz","type":"news_article","url":"https://invezz.com/news/2026/05/27/arbitrum-based-stakedao-contract-hit-by-5-4t-vsdcrv-exploit/"},{"credibility":2,"name":"Stake DAO Assures Users After vsdCRV Exploit and Bridge Shutdown — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/28/stake-dao-assures-users-after-vsdcrv-exploit-and-bridge-shutdown/"},{"credibility":2,"name":"How Stake DAO Was Exploited: Inside the 5.4 Trillion vsdCRV Minting Attack — Memeburn","type":"news_article","url":"https://memeburn.com/how-stake-dao-was-exploited-inside-the-5-4-trillion-vsdcrv-minting-attack/"},{"credibility":2,"name":"StakeDAO Hit by Major Exploit on Arbitrum via Compromised Deployer Key — Castle Crypto","type":"news_article","url":"https://castlecrypto.gg/news/stakedao-hit-by-major-exploit-on-arbitrum-via-compromised-deployer-key/"},{"credibility":2,"name":"DeFi exploit hits Stake DAO as attacker swaps vsdCRV for ETH — Crypto.news","type":"news_article","url":"https://crypto.news/defi-exploit-hits-stake-dao-as-attacker-swaps-vsdcrv-for-eth/"},{"credibility":2,"name":"StakeDAO exploit creates 5.4 trillion vsdCRV but nets only $91K — TradingView/CoinTelegraph","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:c489f3d8c094b:0-stakedao-exploit-creates-5-4-trillion-vsdcrv-but-nets-only-91k/"},{"credibility":2,"name":"47% of LayerZero OApps at Risk After $292M Kelp DAO Hack — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1051837"},{"credibility":2,"name":"Kelp DAO blames LayerZero defaults for $290m rsETH bridge disaster — Crypto.news","type":"news_article","url":"https://crypto.news/kelp-dao-blames-layerzero-defaults-for-290m-rseth-bridge-disaster/"},{"credibility":1,"name":"Stake DAO Official Documentation","type":"official","url":"https://docs.stakedao.org/whitepapers"},{"credibility":1,"name":"Stake DAO SDT Token Documentation","type":"official","url":"https://docs.stakedao.org/sdt"}],"summary":"StakeDAO is a DeFi protocol launched in January 2021 that provides liquid locking, yield strategies, and governance aggregation built primarily around Curve Finance's ecosystem on Ethereum and Arbitrum. On May 27, 2026, the protocol suffered a significant exploit when an attacker compromised its deployer private key and used it to reconfigure a LayerZero v2 OFT bridge peer, enabling the minting of approximately 5.44 trillion vsdCRV tokens on Arbitrum and the extraction of roughly $91,000 in ETH. The incident did not involve a smart contract vulnerability but exposed a critical operational security failure: the deployer key was a single point of failure with no multisig protection, no timelock, and was allegedly operated as a hot key inside automated infrastructure.","timeline":[{"date":"2021-01-20","event":"StakeDAO launched; initial SDT token airdrop distributed representing 1.5% of total supply.","source":"Stake DAO Progress Report Q3 2021","source_url":"https://stakedaohq.medium.com/stake-dao-progress-report-q3-2021-6e16cbb7acee"},{"date":"2026-04-18","event":"KelpDAO exploited for approximately $292 million via a compromised LayerZero 1/1 DVN configuration, attributed to Lazarus Group, establishing broader awareness of LayerZero bridge risks.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"date":"2026-05-09","event":"LayerZero publicly acknowledged it 'made a mistake' in permitting its DVN to operate in a 1/1 configuration for high-value transactions, announcing migration to 5/5 or 3/3 DVN minimums.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/05/09/layerzero-says-it-made-a-mistake-in-usd292-million-kelp-exploit"},{"date":"2026-05-27","event":"Attacker compromised StakeDAO deployer key (0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62) and executed a setPeer() transaction at approximately 09:17:33 UTC, redirecting vsdCRV LayerZero OFT bridge trust to a malicious contract.","source":"The Block / Memeburn","source_url":"https://www.theblock.co/post/402719/security-researchers-flag-ongoing-stakedao-exploit-vsdcrv"},{"date":"2026-05-27","event":"Approximately 25 seconds after the setPeer() transaction, a forged LayerZero cross-chain message minted 5,446,744,073,709.551615 vsdCRV tokens on Arbitrum into the attacker's wallet.","source":"Memeburn / Castle Crypto","source_url":"https://memeburn.com/how-stake-dao-was-exploited-inside-the-5-4-trillion-vsdcrv-minting-attack/"},{"date":"2026-05-27","event":"Attacker executed approximately 28 swap transactions between 09:17 and 09:43 UTC across Curve, KyberSwap, MetaMask Router, and Enso, converting minted vsdCRV into approximately 43.78 ETH (~$91,000).","source":"Crypto.news / AMBCrypto","source_url":"https://crypto.news/defi-exploit-hits-stake-dao-as-attacker-swaps-vsdcrv-for-eth/"},{"date":"2026-05-27","event":"StakeDAO issued public advisory urging users to avoid interacting with vsdCRV tokens. Blockaid confirmed active exploit detection.","source":"Castle Crypto / The Block","source_url":"https://castlecrypto.gg/news/stakedao-hit-by-major-exploit-on-arbitrum-via-compromised-deployer-key/"},{"date":"2026-05-28","event":"StakeDAO confirmed backing funds secured on Ethereum mainnet, announced permanent shutdown of the vsdCRV Ethereum-Arbitrum bridge, and stated law enforcement and security partners are involved in investigation.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/05/28/stake-dao-assures-users-after-vsdcrv-exploit-and-bridge-shutdown/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 74c6e380-d19e-4399-a9e2-324a60f34e77
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.