Decentralized finance suffered two independent but conceptually similar exploits in late May, draining a combined $291,000 from protocols built on Ethereum and Arbitrum. Both breaches bypassed traditional smart‑contract flaws and instead targeted weaknesses in reward or minting logic that had slipped past routine audits.
WUSD.fi & GLOVE – the sybil farming attack
On May 25, an attacker walked away with roughly $200,000 from two Uniswap V3 liquidity pools tied to WUSD.fi and its GLOVE token on Ethereum. Blockchain security researcher exvulsec traced the exploit back to a design flaw in the WUSD._englove function. Any fresh wallet that wrapped at least 100 WUSD while holding under 2 GLOVE could call Glove.mintCreditless and receive up to 2 GLOVE tokens – with no identity checks, rate limits, or other restrictions.
The attacker deployed EIP‑7702 helper contracts, used a Morpho USDT flash loan, and cycled through fresh wallet addresses in repeated wrap‑and‑unwrap loops. Each new address qualified for the reward, flooding the market with GLOVE that was immediately dumped into Uniswap V3. The GLO‑USDC pool lost 11,702 USDC, while the GLO‑USDT pool shed 8,079 USDT. As SecureAI noted on X, the exploit was “not the contract itself” but a reward mechanism that never questioned who it was rewarding.
StakeDAO’s vsdCRV – infinite minting vulnerability
Just days later, on May 27, security researchers flagged abnormal activity on StakeDAO’s Arbitrum deployment. The protocol’s vsdCRV contract, a liquid staking derivative linked to Curve Finance positions, appeared to have an “infinite mint” vulnerability. On‑chain analysis suggested an attacker had inflated the vsdCRV supply to an estimated 5.4 trillion tokens, using the distorted balance to drain roughly $91,000 from the vault system.
Unlike the WUSD incident, this was not an economic‑incentive flaw but an accounting failure: the contract’s minting logic improperly validated share‑balance ratios under certain transaction states, accepting an invalid state transition that allowed unlimited token creation. As a result, the artificially generated tokens were treated as legitimate staking power, and the attacker extracted real value before the anomaly was contained. The exploit did not involve a private‑key compromise; it was purely a smart‑contract design error.
A $770M warning
Both episodes underscore a broader 2026 trend – DeFi exploits have already cost the sector nearly $770 million this year, often through overlooked incentive paths or fragile internal accounting. The WUSD.fi case is a classic sybil farming tactic, while StakeDAO’s breach exposes the peril of share‑based models without strict invariant checks. As Chinese‑language account aegixe_cn warned, users must understand a protocol’s mechanics before depositing funds – a reminder that carries extra weight when $291,000 disappears in two quick strikes.
