Back

Stake DAO Exploit: 5.4 Trillion vsdCRV Minted on Arbitrum

Severity: High (Score: 66.9)

Sources: Thedefiant, Cryptobriefing, www.chaincatcher.com, Theblock.Co, Bitget

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: stake, vsdcrv, security, incident, advises, platform, responds

Severity indicators: pla, ot

Summary

Stake DAO, a non-custodial liquid staking platform, suffered a significant exploit on Arbitrum, where an attacker minted over 5.4 trillion vsdCRV tokens after compromising the protocol's deployer private key. The exploit involved manipulating the LayerZero v2 OFT peer configuration linked to the vsdCRV token contract. Despite the nominal value of the minted tokens being estimated at $763 billion, the attacker faced challenges in converting them to cash due to extremely thin liquidity in vsdCRV markets. Only 16.83 million tokens were exchanged for approximately $91,000 before liquidity dried up. Stake DAO has warned users against interacting with vsdCRV while the situation is being assessed. The security team suspects an infinite mint vulnerability exploitation as the cause of the incident. Key Points: • An attacker minted over 5.4 trillion vsdCRV tokens on Arbitrum after compromising Stake DAO's deployer key. • The exploit's nominal value was estimated at $763 billion, but liquidity issues hindered cash conversion. • Stake DAO has advised users not to interact with vsdCRV during the ongoing investigation.

Detailed Analysis

**Impact** The exploit affected Stake DAO, a non-custodial liquid staking platform operating on Arbitrum, resulting in the unauthorized minting of over 5.4 trillion vsdCRV tokens. Although the nominal value of the minted tokens is estimated at $763 billion, the attacker managed to exchange only about 16.83 million tokens for 43.7 ETH (~$91,000) due to extremely thin liquidity. Users interacting with vsdCRV are at risk of financial loss, and the incident disrupts normal platform operations, particularly on Arbitrum. **Technical Details** The attacker compromised Stake DAO’s deployer private key, enabling manipulation of the LayerZero v2 OFT peer configuration linked to the vsdCRV token contract. This allowed an infinite mint vulnerability exploitation, resulting in the creation of 5.4 trillion vsdCRV tokens. The attack leveraged a cross-chain messaging infrastructure weakness on Arbitrum. No specific CVEs or malware tools were mentioned. Indicators of compromise include the unauthorized minting transactions and altered LayerZero v2 OFT peer settings. **Recommended Response** Stake DAO advises users to avoid interacting with vsdCRV tokens until further notice. Defenders should monitor for unusual minting activity and transactions involving vsdCRV, especially on Arbitrum. Immediate revocation and rotation of deployer private keys and hardening of cross-chain messaging configurations are critical. No patches or specific detection signatures were provided; continuous monitoring of LayerZero v2 OFT configurations is recommended.

Source articles (6)

  • Security researchers flag ongoing Stake DAO exploit after attacker mints trillions of vsdCRV — Theblock.Co · 2026-05-27
    Stake DAO, a DeFi platform focused on automated yield strategies, is facing an ongoing exploit, multiple blockchain security firms reported on Wednesday. The attacker minted over 5.4 trillion vsdCRV o…
  • Stake DAO faces ongoing exploit as attacker mints 5.4T vsdCRV on Arbitrum — Cryptobriefing · 2026-05-27
    The attacker was unable to realize meaningful profits due to vsdCRV's extremely thin liquidity. Stake DAO, a non-custodial liquid staking platform, became the target of a major exploit on Arbitrum aft…
  • Stake DAO responds to security incident, advises against interacting with vsdCRV for now — Bitget · 2026-05-27
    ChainCatcher reported that Stake DAO responded to the security incident on the X platform, stating that its team is aware of the event and advises users not to interact with vsdCRV for now. In additio…
  • Stake DAO responds to the security incident: Do not interact with vsdCRV at this time — Weex · 2026-05-27
    Stake DAO posted on platform X in response to the security incident, stating that its team is aware of the current security event and advises against interacting with vsdCRV. Previously, an anomaly oc…
  • Hacker Mints 5.4 Trillion Tokens in StakeDAO Exploit, Nets $91K — Thedefiant · 2026-05-27
    A hacker compromised StakeDAO's deployer private key on Wednesday, minting 5.4 trillion vsdCRV tokens on Arbitrum and swapping a portion for roughly $91,000 worth of ETH, an attack that rippled into C…
  • Chaincatcher — www.chaincatcher.com · 2026-05-27

Timeline

  • 2026-05-27 — Stake DAO exploit confirmed: An attacker minted over 5.4 trillion vsdCRV tokens by compromising the deployer private key on Arbitrum.
  • 2026-05-27 — Stake DAO issues user warning: Stake DAO advised users not to interact with vsdCRV due to the ongoing security incident.
  • 2026-05-27 — Infinite mint vulnerability suspected: The security team classified the incident as a suspected infinite mint vulnerability exploitation.

Related entities

  • Stake DAO (Company)
  • Arbitrum (Company)
  • Ethereum (Company)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Curve Finance (Platform)
  • LayerZero (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed