Stake DAO Exploit Lets Attacker Mint 5.4T vsdCRV on Arbitrum
Alex Smith
1 month ago
Stake DAO was exploited on Arbitrum on May 27, 2026, when an attacker minted over 5.4 trillion vsdCRV by exploiting the tokenâs cross-chain configuration. Stake DAO has warned users not to interact with vsdCRV, while Curve Finance also recommended that users with deposits or loans in the asdCRV LlamaLend market on Arbitrum withdraw them to mitigate oracle risks. On-chain data shows that the attacker was only able to realize a small fraction of the value into ETH due to limited liquidity.
Exploit Details
On-chain data on Arbitrum shows that the mint transaction occurred at block 467160931 at 09:17:58 UTC on May 27, 2026. The transaction recorded approximately 5.45 trillion vsdCRV being minted from the null address to the wallet 0xeF3CâŚaa25.
On-chain evidence of the Stake DAO exploit. Source: Arbiscan
This transaction interacted with the LayerZero v2 Executor, indicating that the minting process was related to the cross-chain messaging flow used to create tokens on Arbitrum. The mint transactionâs hash is 0x7489âŚe5fe5, according to Arbiscan data.
Blockaid stated that they detected an ongoing exploit targeting Stake DAO on Arbitrum, in which the attacker minted over 5.4 trillion vsdCRV and began swapping these tokens into ETH.
According to security tracking sources, including PeckShield, the attacker swapped a portion of the tokens for approximately 43.78 ETH, worth around $91,200 at the time of reporting, and then bridged the assets to Ethereum. This figure reflects the value initially realized by the attacker, not the nominal value of the entire minted vsdCRV supply.
Suspected Root Cause
Blockaid suspects the exploit likely stemmed from the Stake DAO deployerâs private key being compromised. The deployer address mentioned is 0x0007âŚff62.
From this access, the attacker is believed to have altered the cross-chain configuration that vsdCRV uses to validate messages via LayerZero. Specifically, Blockaid said the attacker changed the trusted âpeerâ from a valid adapter on the Ethereum side to a malicious contract deployed by the attacker, and then used that contract to send fake messages to mint tokens on Arbitrum.
Suspected root cause is compromised private key.
Malicious peer deployment: https://t.co/RlJlVYC5xe
Cross-chain mint: https://t.co/NBQdjaTXu0
setPeer #3 (before mint): https://t.co/sq7jrH8tN6âŚ
Mint tx: https://t.co/kH52CmHXGmâŚâ Blockaid (@blockaid_) May 27, 2026
The details published by Blockaid indicate that the incident involved deployer permissions and Stake DAOâs LayerZero OFT configuration, rather than a confirmed vulnerability within the LayerZero core protocol. As of the time of writing, Stake DAO has not published a full post-mortem regarding how the private key was compromised or the scope of the affected contracts.
This context places the incident alongside cross-chain messaging risks that gained attention following the approximately $292 million Kelp DAO/rsETH incident in April 2026, which also involved message flows through LayerZero. The difference is that in the Stake DAO case, the current data focuses on the projectâs compromised key and OFT configuration.
Market and User Impact
Immediately following the incident, Stake DAO requested users not to interact with vsdCRV while the issue was being handled. With over 5.4 trillion new tokens minted, the risk lies not only in the dilution of the vsdCRV supply but also in the impact on liquidity pools, oracles, and protocols linked to this token on Arbitrum.
Curve Finance also issued a separate warning for users with deposits or loans in the asdCRV LlamaLend market on Arbitrum. According to Curve, the market was still operating normally at the time of the warning, but the price oracle could become unstable due to the exploit involving vsdCRV, increasing the risk of liquidation for borrowing/debt positions.
If you have deposits or loans in asdCRV LlamaLend market on Arbitrum â please exist ASAP out of precation.
The market is fine right now but its price oracle can become unstable due to the vsdCRV exploit which can cause liquidations. https://t.co/HhvMfzXEe9
â Curve Finance (@CurveFinance) May 27, 2026
Despite the massive amount of tokens minted, the value initially realized by the attacker was only around $91,200, which is much lower than the nominal figure because vsdCRV liquidity was insufficient to absorb the entire pool of new tokens. The final damage still depends on the amount of tokens swapped, the level of impact on related pools, and the remediation measures from Stake DAO.
What Remains Unclear
Stake DAO had not published a full post-mortem at the time the initial warnings were issued. The remaining open questions include how the private key was compromised, the scope of the affected contracts, the recovery status of the cross-chain configuration, and the level of remaining risk to related pools or markets on Arbitrum.
In the short term, users involved with vsdCRV, sdCRV, or markets using related oracles on Arbitrum still need to monitor official announcements from Stake DAO, Curve, and on-chain security entities. The incident also highlights key management risks in DeFi, especially for protocols that still allow deployer or admin keys to alter trust configurations between chains.
The post Stake DAO Exploit Lets Attacker Mint 5.4T vsdCRV on Arbitrum appeared first on NFT Plazas.
Related Articles
World.xyzâs Robinhood Chain Joke Goes Viral Across Solana X
In less than a week since its launch, World.xyz (World), a prediction platform o...
Former SWIFT Exec Denies Rumors of XRP Integration With Global Payment Network
Fresh speculation about a partnership between SWIFT and Ripple swept across cryp...
Kraken Prepares to Relaunch Mobile App With AI-Powered Trading
Kraken is rebuilding its mobile app around agentic artificial intelligence, a sh...
SWIFT Launches Blockchain-Based Ledger for 24/7 Cross-Border Payments, Pilots With 17 Global Banks Using Tokenized Deposits
Swift, the cooperative behind the world’s dominant financial messaging net...