Stake DAO confirmed an exploit on Arbitrum on May 27 that allowed an unauthorized party to mint trillions of synthetic tokens. Preliminary findings attributed the issue to an infinite-minting vulnerability in Stake DAO’s vsdCRV vault logic and automated reward distribution system. An invalid state transition caused an internal accounting failure that inflated vsdCRV supply by 5.4 trillion units. Reports indicated the attacker drained about $91,000 in transferable digital assets from affected liquidity pools before the problem was identified and halted. Stake DAO secured vsdCRV backing on Ethereum mainnet, deactivated the vsdCRV bridge, and stated no mainnet funds could be seized. The Arbitrum asdCRV Llamalend market was permanently sunset, and users were advised not to interact with vsdCRV contracts.
"Decentralized finance ( DeFi), platform Stake DAO confirmed May 27 that its protocol on the Arbitrum layer-2 network was targeted by an exploit, allowing an unauthorized party to maliciously mint trillions of synthetic tokens. According to preliminary findings by blockchain security firm Blockaid, the attacker took advantage of an infinite-minting vulnerability linked to Stake DAO's vsdCRV vault logic and automated reward distribution system. The contract accepted an invalid state transition, leading to a severe internal accounting failure."
"This loophole allowed the attacker to inflate the supply of vsdCRV by 5.4 trillion units. Some reports suggest that the attacker was able to drain approximately $91,000 in transferable digital assets from the affected liquidity pools before the issue was identified and halted. Stake DAO core contributors moved quickly to mitigate further damage, announcing they had successfully secured the vsdCRV backing on the Ethereum mainnet."
"Because of the rapid containment, protocol officials confirmed that no mainnet funds can be seized by the attacker. Additionally, the team deactivated the vsdCRV bridge, successfully confining the exploit's economic impact to the Arbitrum ecosystem. Based on our current assessment, Boosted yields, Liquid Lockers, Votemarket & Stake DAO lending on Morpho are unaffected, Stake DAO said in a statement shared via social media platform X."
"The protocol noted, however, that the Arbitrum asdCRV Llamalend market is being permanently sunset in the wake of the incident. Stake DAO has advised users not to interact with vsdCRV contracts and is urging crvUSD depositors to relocate their capita. Stake DAO is sunsetting the Arbitrum asdCRV Llamalend market and working with law enforcement."
Read at news.bitcoin.com
Unable to calculate read time
Collection
[
|
...
]