A StakeDAO exploit minted 5.4 trillion vsdCRV tokens but the attacker extracted only $91,000 in value. Security firm PeckShield traced the exploit, finding that the attacker bridged 43.7 ETH to Ethereum after the massive token creation event.
The gap between minted supply and extracted value reveals a liquidity problem. EmberCN analysis shows most of the remaining tokens lacked sufficient liquidity for the attacker to convert into cash. The vsdCRV tokens flooded markets but had no viable exit path for the perpetrator.
This exploit exposes a common vulnerability in governance and incentive token mechanics. vsdCRV, StakeDAO's vote-escrowed Curve DAO token, holds value primarily through voting power and protocol incentives rather than direct market demand. When an attacker mints billions of tokens in a single transaction, they saturate any reasonable liquidity pool, leaving them unable to dump their holdings without crashing the price to zero.
PeckShield's $91,000 extraction figure suggests the attacker either managed partial sales at declining prices or focused the exploit narrowly on extracting ETH value rather than maximizing vsdCRV conversion. The 43.7 ETH bridge represents the practical proceeds from the attack.
StakeDAO operates as a yield optimization platform built on Curve, offering users tokenized exposure to Curve gauges and governance participation. The platform's vsdCRV mechanism allows users to lock CRV and receive voting-escrowed tokens. The exploit likely triggered through a contract vulnerability that bypassed minting safeguards, allowing unlimited token creation without proper collateral or authorization checks.
The incident highlights a recurring pattern in DeFi exploits. Attackers identify inflation vectors in governance tokens but discover the tokens themselves lack real liquidity.