--- title: "Stake DAO Hit by 5.4 Trillion vsdCRV Mint Exploit" date: 2026-05-27 author: "Kelvin Scott" featured_image: "https://coinlaw.io/wp-content/uploads/2026/05/stake-dao-exploited-with-infinite-minting-exploit.jpg" categories: - name: "Cryptocurrency" url: "/crypto.md" tags: - name: "News" url: "/tag/news.md" --- # Stake DAO Hit by 5.4 Trillion vsdCRV Mint Exploit Stake DAO is facing a major security incident after an attacker minted more than 5.4 trillion vsdCRV tokens on Arbitrum and began swapping the assets for ETH. ## Key Takeaways - Stake DAO suffered an ongoing exploit tied to a suspected compromised deployer private key on Arbitrum. - The attacker minted over 5.4 trillion vsdCRV tokens and started dumping them for ETH through liquidity pools. - Security researchers believe the exploit was caused by privileged access abuse, not a flaw in LayerZero or smart contracts. - Stake DAO has warned users to avoid interacting with vsdCRV until further notice. ## What Happened? Stake DAO, a decentralized finance platform focused on automated yield strategies and governance token products, has become the latest DeFi protocol targeted in a major exploit. Blockchain security firms including Blockaid, PeckShield, BlockSec, and ChainCatcher reported that an attacker minted approximately **5.4 trillion vsdCRV tokens** on Arbitrum before rapidly swapping the tokens for ETH. The exploit appears to still be active, with the attacker continuing to move funds across chains while draining liquidity tied to the affected token. > Stake DAO is under an ongoing exploit. An attacker compromised a deployer key on Arbitrum to mint ~5.4 trillion vsdCRV via a forged message, then swapped a portion for 43.78 ETH (~$91k) and bridged it to Ethereum. > > The protocol has acknowledged the issue and warned users not to… > > — unfolded. (@cryptounfolded) [May 27, 2026](https://twitter.com/cryptounfolded/status/2059598814269329532?ref_src=twsrc%5Etfw) ## Attacker Exploits Deployer Access According to multiple security researchers, the incident was likely caused by a compromised deployer private key connected to Stake DAO’s Arbitrum deployment. BlockSec explained that the attacker allegedly gained control of the deployer credentials and changed a critical cross chain configuration tied to **vsdCRV**. This allowed the attacker to create a malicious LayerZero message that triggered unlimited token minting on [Arbitrum](https://coinlaw.io/arbitrum-statistics/). “**The attacker appears to have obtained the deployer’s private key and set an arbitrary peer for vsdCRV,**” BlockSec stated. Using that access, the attacker minted nearly 5.44 trillion vsdCRV tokens directly to their wallet before immediately selling the assets into available liquidity pools. PeckShield reported that at least part of the stolen value had already been converted into approximately **43.78 ETH** worth around **$91,000** at the time of reporting and bridged to [Ethereum](https://coinlaw.io/ethereum-statistics/). ## What Is vsdCRV? vsdCRV is a governance and yield related token tied to the **Curve Finance ecosystem** through Stake DAO’s liquid locker strategy products. The token acts as a wrapped representation connected to Stake DAO’s sdCRV infrastructure, which is designed to maximize governance voting power and yield opportunities inside the ongoing competition for Curve Finance influence, commonly known as the “**Curve Wars.**” Because vsdCRV is deeply connected to liquidity and governance systems, the sudden appearance of trillions of newly minted tokens created immediate panic across connected pools and trading markets. ## No Smart Contract Bug Found So Far Security experts emphasized that the exploit does not currently appear to involve a direct smart contract vulnerability or a failure within LayerZero infrastructure itself. Instead, analysts pointed to operational security weaknesses involving privileged wallet access. Sodot co-founder and Chief Product Officer **Shalev Keren** said the exploit closely resembles several recent incidents involving compromised deployer keys across the DeFi sector. Keren explained: “ The Stake DAO deployer key on Arbitrum was used to repoint the vsdCRV cross chain bridge configuration to an attacker controlled contract on Ethereum. Shalev KerenCo-founder and Chief Product Officer – Sodot He added that there was “**no flaw in LayerZero**” and described the incident as a dangerous example of centralized control over sensitive protocol functions. Researchers also noted that stronger protections such as multisig wallets, hardware security systems, and transaction delays are commonly used to reduce these risks. ## Stake DAO Issues Warning to Users Stake DAO acknowledged the incident publicly on platform X and urged users not to interact with vsdCRV while investigations continue. > We are aware of the ongoing situation. > Please do not interact with vsdCRV. > > — Stake DAO (@StakeDAOHQ) [May 27, 2026](https://twitter.com/StakeDAOHQ/status/2059586800255910039?ref_src=twsrc%5Etfw) At the time of writing, Stake DAO has not released a full postmortem or confirmed the total financial impact of the exploit. ## Growing Pressure on DeFi Security The Stake DAO incident adds to a growing wave of attacks targeting [decentralized finance protocol](https://coinlaw.io/history-of-defi/)s in recent months. Industry researchers estimate that DeFi projects have suffered hundreds of millions of dollars in losses since April alone. The latest exploit has once again raised concerns about the security risks tied to privileged access and centralized operational control inside supposedly decentralized systems. ## CoinLaw’s Takeaway In my experience, exploits involving compromised private keys are becoming one of the biggest threats facing DeFi today. This attack was not caused by a complicated smart contract bug. It appears to have come down to a single sensitive key holding enormous power over critical protocol functions. I found the most worrying part to be how quickly the attacker was able to change configurations, mint trillions of tokens, and drain liquidity before anyone could stop it. Events like this show that even audited DeFi platforms can still carry massive operational risks behind the scenes. Definition of Blockchain. Link to full glossary entry follows the description.**Blockchain**A distributed digital ledger that records transactions across a network, with each block cryptographically linked to the previous one for security. [Read more](https://coinlaw.io/glossary/blockchain/) Definition of Smart Contract. Link to full glossary entry follows the description.**Smart Contract**A smart contract is a self-executing program stored on a blockchain that automatically enforces agreement terms when predefined conditions are met, without intermediaries. [Read more](https://coinlaw.io/glossary/smart-contract/) Definition of DeFi. Link to full glossary entry follows the description.**DeFi**Decentralized finance leverages blockchain protocols and [smart contracts](https://coinlaw.io/glossary/smart-contract/) to enable lending, trading, and borrowing without banks or traditional intermediaries. [Read more](https://coinlaw.io/glossary/defi/) Definition of Cross-Chain. Link to full glossary entry follows the description.**Cross-Chain**Cross-chain is the ability to move data or assets between separate blockchains via bridges, messaging protocols, or interoperability networks. [Read more](https://coinlaw.io/glossary/cross-chain/)