Stake DAO Exploit Lets Attacker Mint 5.4T vsdCRV on Arbitrum
On May 27, 2026, Arbitrum experienced a significant breach involving Stake DAO, where a hacker minted more than 5.4 trillion vsdCRV tokens by exploiting the token’s cross-chain functionality. This event was logged in block 467160931 at 09:17:58 UTC and utilized the LayerZero v2 Executor. Blockaid pinpointed the issue as a result of a compromised private key belonging to the Stake DAO deployer (0x0007…ff62). By altering the trusted peer in the cross-chain setup to a malicious contract, the attacker sent fake messages to generate tokens. They managed to trade some for about 43.78 ETH (around $91,200) and moved the funds to Ethereum. Stake DAO alerted users about vsdCRV, while Curve Finance advised withdrawals from the asdCRV LlamaLend market due to potential oracle problems. This incident highlights the risks tied to DeFi management, especially for protocols with changeable deployer or admin keys. Stake DAO has not yet published a detailed analysis.
Key facts
- Stake DAO exploited on Arbitrum on May 27, 2026
- Attacker minted over 5.4 trillion vsdCRV tokens
- Mint transaction at block 467160931, 09:17:58 UTC
- Transaction interacted with LayerZero v2 Executor
- Suspected root cause: compromised private key of deployer address 0x0007…ff62
- Attacker swapped portion for 43.78 ETH (~$91,200) and bridged to Ethereum
- Stake DAO warned users not to interact with vsdCRV
- Curve Finance warned users of asdCRV LlamaLend market on Arbitrum
- Incident follows $292M Kelp DAO exploit in April 2026 involving LayerZero
- No full post-mortem published by Stake DAO yet
Entities
Institutions
- Stake DAO
- Arbitrum
- Curve Finance
- Blockaid
- PeckShield
- LayerZero
- LlamaLend
- NFT Plazas
Locations
- Arbitrum
- Ethereum