Stake DAO said its initial review found that an unauthorized party had performed vsdCRV on Arbitrum during the security incident reported earlier this week.
Summary
- Stake DAO said an attacker committed a vsdCRV to Arbitrum during a security incident.
- The team said that the mainnet funding is secure and no support funds were taken by the attacker.
- Improved yield, Liquid Lockers, Votemarket and Morpho lending were tested as unaffected.
The project said contributors secured vsdCRV support on the Ethereum mainnet and closed the vsdCRV bridge. The DAO stake said this contained the Arbitrum incident and prevented an attacker from capturing the mainnet’s funding.
Stake DAO secures mainnet support
Stake DAO said, “initial investigation points to an unauthorized group (attacker) formed against Arbitrum.” This statement followed earlier reports that security firms had tracked down a large unauthorized exploit tied to the protocol’s vsdCRV token.
As crypto.news reported yesterday, Blockaid said the attacker made more than 5.4 trillion vsdCRV on Arbitrum and started exchanging ETH tokens. PeckShield also tracked part of the funds moving to 43.78 ETH before the Ethereum bridge.
The latest update reduces the risk area. Stake DAO said contributors moved quickly to secure support for vsdCRV on the mainnet. The group added that “no money was taken by the attacker” from that support.
Stake DAO also closed the vsdCRV bridge. That move was intended to stop the abuse from spreading beyond Arbitrum and limit further damage while the review is underway.
Key products remain unaffected
Stake DAO said its current testing shows that Boosted returns, Liquid Lockers, Votemarket and Stake DAO lending with Morpho were not affected by the incident.
The statement is important to users because those products make up a large part of Stake DAO’s yield and management services. The project did not report any specific problem affecting those products in its latest update.
However, the team did not say that the full update is over. It described the findings as current and preliminary, meaning the final scope may change if security teams receive new information.
Stake DAO said law enforcement is still involved and security partners are helping with the review. The project also said it will share more information over time.
The Arbitrum asdCRV market is going down
Stake DAO said the Arbitrum asdCRV Llamalend market is going down after the incident. It told crvUSD depositors that they can move their funds to other Llamalend markets.
That move gives users a clear way to reduce exposure to the affected market. It also shows that the protocol takes product-level feedback, not just the technical bridge feedback.
The review did not say that asdCRV itself was exploited. The main confirmed issue remains the unauthorized execution of vsdCRV in Arbitrum.
Currently, the main focus is on user safety, market withdrawal and ongoing investigations. The next updates of the affected DAO will be important with the final calculations of losses, recovery actions and any further product changes.
