Key Takeaways
- Stake DAO suffered an infinite-mint exploit on Arbitrum on May 27 which reportedly saw the attacker drain $91,000 in digital assets.
- The breach fuels a viral debate over DeFi security sparked by Openzeppelin co-founder Manuel Aráoz.
- Stake DAO is sunsetting the Arbitrum asdCRV Llamalend market and working with law enforcement.
Infinite-Minting Loophole Triggers Exploit
Decentralized finance ( DeFi), platform Stake DAO confirmed May 27 that its protocol on the Arbitrum layer-2 network was targeted by an exploit, allowing an unauthorized party to maliciously mint trillions of synthetic tokens. According to preliminary findings by blockchain security firm Blockaid, the attacker took advantage of an infinite-minting vulnerability linked to Stake DAO’s vsdCRV vault logic and automated reward distribution system.
The contract accepted an invalid state transition, leading to a severe internal accounting failure. This loophole allowed the attacker to inflate the supply of vsdCRV by 5.4 trillion units. Some reports suggest that the attacker was able to drain approximately $91,000 in transferable digital assets from the affected liquidity pools before the issue was identified and halted.
Stake DAO core contributors moved quickly to mitigate further damage, announcing they had successfully secured the vsdCRV backing on the Ethereum mainnet. Because of the rapid containment, protocol officials confirmed that no mainnet funds can be seized by the attacker. Additionally, the team deactivated the vsdCRV bridge, successfully confining the exploit’s economic impact to the Arbitrum ecosystem.
“Based on our current assessment, Boosted yields, Liquid Lockers, Votemarket & Stake DAO lending on Morpho are unaffected,” Stake DAO said in a statement shared via social media platform X.
The protocol noted, however, that the Arbitrum asdCRV Llamalend market is being permanently sunset in the wake of the incident. Stake DAO has advised users not to interact with vsdCRV contracts and is urging crvUSD depositors to relocate their capital to alternative, unaffected Llamalend markets.
A Precarious Juncture for DeFi Security
Law enforcement agencies have been notified, and Stake DAO said it is collaborating with external security partners to track the flow of stolen assets and conduct a comprehensive forensic audit of the compromised smart contracts.
The timing of the incident comes as the broader DeFi ecosystem attempts to push back against a viral thesis popularized by Openzeppelin co-founder Manuel Aráoz, who recently asserted that “all DeFi is unsafe.” Aráoz’s grim assessment stunned industry participants, forcing a reckoning within a sector already fatigued by a wave of protocol exploits and structural vulnerabilities. The Stake DAO exploit punctuates Aráoz’s thesis, complicating the industry’s efforts to restore institutional and retail confidence.
The thesis prompted Openzeppelin to issue a statement distancing itself from Aráoz, who the company said left the organization in 2019. Openzeppelin also addressed the key concerns raised by Aráoz, acknowledging that while artificial intelligence is a real threat vector, it is also a powerful defensive tool when used “with rigor and expert human judgment.”
“Our researchers use AI daily to catch more issues and edge cases,” Openzeppelin said in a statement. “The answer to AI risk is not retreat from DeFi. It is better security.”
Turning to the recent spate of security incidents, Openzeppelin insisted many of these can be traced back to operational security failures, rather than smart contract bugs.
