vsdCRV Incident Disclosure - 27-05-2026On May 27, 2026, a compromised deployer account holding the owner role on the vsdCRV LayerZero OFT on Arbitrum was used to forge an unbacked cross-chain mint of vsdCRV. By swapping the forged supply through the Curve pool, the attacker drained roughly 321,143 CRV and ~7.5 ETH of real assets, realizing approximately 43.8 ETH (~$91,000). This was not a smart contract vulnerability: the contracts behaved as designed once the attacker held the owner key. The backing of legitimate vsdCRV was secured within 47 minutes, the minting path was closed the same day, and all on-chain authority held by the compromised account has been reclaimed to the governance multisig.
Stake DAO Tokenomics Update: Migrating from veSDT to vlSDTFollowing the approval of [SDGP-63](https://gov.stakedao.org/t/sdgp-63-migration-from-vesdt-to-vlsdt/1115), the Stake DAO protocol is rolling out a major upgrade to its governance and staking system. veSDT is being deprecated and replaced by vlSDT, a simpler, more flexible, and more accessible governance token for the Stake DAO protocol.
Votemarket Incident Disclosure - 12-03-2026On March 12, 2026, a vulnerability in the L1BlockOracleUpdater peripheral contract was exploited to inject fabricated L1 block data into the Votemarket Oracle on Arbitrum and Base via the LaPoste cross-chain messaging bridge. By poisoning the Oracle state, the attacker forged Merkle Patricia storage proofs to register fictitious vote data and subsequently drained campaign rewards across 54 campaigns (50 on Arbitrum and 4 on Base), totaling approximately $175,000 in stolen assets. Legitimate voters' claims for the affected epochs were consumed, preventing rightful claimants from receiving their rewards.