Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 152Private Key Compromise

Steadefi Deployer Key Compromise

$1.14M drained from Steadefi on Arbitrum and Avalanche after a deployer private-key compromise let the attacker seize ownership of leveraged vaults.

Date
Victim
Steadefi
Chain(s)
ArbitrumAvalanche
Status
Funds Stolen
Attribution
Suspected Lazarus Group (DPRK)

On August 7, 2023, the leveraged-yield protocol Steadefi lost approximately $1.14 million across Arbitrum and Avalanche after its deployer private key was compromised. The attacker transferred contract ownership to themselves and drained the protocol's leveraged-vault collateral. The TTPs were consistent with Lazarus Group operations against DeFi developers in the same period.

What happened

Steadefi ran automated leveraged-yield vaults. The protocol's contracts were controlled by a deployer key with ownership/admin authority.

The compromise was not a smart-contract bug — Steadefi's vault logic worked as designed. The attacker:

  1. Obtained the deployer private key — vector not publicly detailed, but consistent with the endpoint-malware / social-engineering pattern Lazarus was running against DeFi developers throughout 2023 (Atomic Wallet, Stake.com, and others in the same window).
  2. Transferred contract ownership to an attacker-controlled address using the legitimate ownership-transfer function.
  3. With ownership, drained the leveraged vaults' collateral and borrowed positions across both chains.
  4. Total extracted: approximately $1.14M, laundered through Tornado Cash.

Aftermath

  • Steadefi paused operations and disclosed the deployer-key compromise.
  • The protocol effectively wound down; the loss was small in absolute terms but terminal for a protocol of Steadefi's size.
  • The attacker's laundering pattern matched concurrent Lazarus DeFi operations.

Why it matters

Steadefi is a small-dollar but structurally clean entry in the catalogue's largest single theme: single deployer/admin keys are the actual security model, regardless of contract quality, and they are a primary Lazarus target.

The same root cause — deployer/admin key compromise, usually via endpoint malware or social engineering of a developer — runs through:

  • EasyFi (2021, $81M) — CEO's MetaMask vault stolen from laptop.
  • bZx November 2021 ($55M) — phishing → Word macro → keys.
  • Steadefi (2023, $1.14M) — deployer key compromise.
  • Radiant Capital (2024, $53M) — Telegram malware → multi-sig UI deception.
  • Bybit (2025, $1.46B) — Safe{Wallet} developer supply-chain compromise.

The dollar amounts span four orders of magnitude; the root cause is identical. The cheapest, most reliable, most-repeated way to drain a crypto protocol is not to break its contracts — it is to compromise the human who holds its keys. Steadefi is one of the smaller data points on that line, but it sits on exactly the same line as the billion-dollar incidents, and the defensive answer is the same at every scale: hardware-wallet-only signing, multi-sig with geographically distributed independent signers, timelocked admin operations, and the assumption that any single key-holder's machine is already compromised.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-steadefi-hack-august-2023
  2. [02]coinedition.comhttps://coinedition.com/defi-protocol-steadefi-exploited-for-over-1-1-million/
  3. [03]rekt.newshttps://rekt.news/steadefi-rekt

Related filings