Stake DAO is facing a major security incident after an attacker minted more than 5.4 trillion vsdCRV tokens on Arbitrum and began swapping the assets for ETH.
Key Takeaways
- Stake DAO suffered an ongoing exploit tied to a suspected compromised deployer private key on Arbitrum.
- The attacker minted over 5.4 trillion vsdCRV tokens and started dumping them for ETH through liquidity pools.
- Security researchers believe the exploit was caused by privileged access abuse, not a flaw in LayerZero or smart contracts.
- Stake DAO has warned users to avoid interacting with vsdCRV until further notice.
What Happened?
Stake DAO, a decentralized finance platform focused on automated yield strategies and governance token products, has become the latest DeFi protocol targeted in a major exploit. Blockchain security firms including Blockaid, PeckShield, BlockSec, and ChainCatcher reported that an attacker minted approximately 5.4 trillion vsdCRV tokens on Arbitrum before rapidly swapping the tokens for ETH.
The exploit appears to still be active, with the attacker continuing to move funds across chains while draining liquidity tied to the affected token.
Stake DAO is under an ongoing exploit. An attacker compromised a deployer key on Arbitrum to mint ~5.4 trillion vsdCRV via a forged message, then swapped a portion for 43.78 ETH (~$91k) and bridged it to Ethereum.
— unfolded. (@cryptounfolded) May 27, 2026
The protocol has acknowledged the issue and warned users not to…
Attacker Exploits Deployer Access
According to multiple security researchers, the incident was likely caused by a compromised deployer private key connected to Stake DAO’s Arbitrum deployment.
BlockSec explained that the attacker allegedly gained control of the deployer credentials and changed a critical cross chain configuration tied to vsdCRV. This allowed the attacker to create a malicious LayerZero message that triggered unlimited token minting on Arbitrum.
“The attacker appears to have obtained the deployer’s private key and set an arbitrary peer for vsdCRV,” BlockSec stated.
Using that access, the attacker minted nearly 5.44 trillion vsdCRV tokens directly to their wallet before immediately selling the assets into available liquidity pools.
PeckShield reported that at least part of the stolen value had already been converted into approximately 43.78 ETH worth around $91,000 at the time of reporting and bridged to Ethereum.
What Is vsdCRV?
vsdCRV is a governance and yield related token tied to the Curve Finance ecosystem through Stake DAO’s liquid locker strategy products.
The token acts as a wrapped representation connected to Stake DAO’s sdCRV infrastructure, which is designed to maximize governance voting power and yield opportunities inside the ongoing competition for Curve Finance influence, commonly known as the “Curve Wars.”
Because vsdCRV is deeply connected to liquidity and governance systems, the sudden appearance of trillions of newly minted tokens created immediate panic across connected pools and trading markets.
No Smart Contract Bug Found So Far
Security experts emphasized that the exploit does not currently appear to involve a direct smart contract vulnerability or a failure within LayerZero infrastructure itself.
Instead, analysts pointed to operational security weaknesses involving privileged wallet access.
Sodot co-founder and Chief Product Officer Shalev Keren said the exploit closely resembles several recent incidents involving compromised deployer keys across the DeFi sector.
Keren explained:
He added that there was “no flaw in LayerZero” and described the incident as a dangerous example of centralized control over sensitive protocol functions.
Researchers also noted that stronger protections such as multisig wallets, hardware security systems, and transaction delays are commonly used to reduce these risks.
Stake DAO Issues Warning to Users
Stake DAO acknowledged the incident publicly on platform X and urged users not to interact with vsdCRV while investigations continue.
We are aware of the ongoing situation.
— Stake DAO (@StakeDAOHQ) May 27, 2026
Please do not interact with vsdCRV. https://t.co/3wZhMo52r6
At the time of writing, Stake DAO has not released a full postmortem or confirmed the total financial impact of the exploit.
Growing Pressure on DeFi Security
The Stake DAO incident adds to a growing wave of attacks targeting decentralized finance protocols in recent months. Industry researchers estimate that DeFi projects have suffered hundreds of millions of dollars in losses since April alone.
The latest exploit has once again raised concerns about the security risks tied to privileged access and centralized operational control inside supposedly decentralized systems.
CoinLaw’s Takeaway
In my experience, exploits involving compromised private keys are becoming one of the biggest threats facing DeFi today. This attack was not caused by a complicated smart contract bug. It appears to have come down to a single sensitive key holding enormous power over critical protocol functions.
I found the most worrying part to be how quickly the attacker was able to change configurations, mint trillions of tokens, and drain liquidity before anyone could stop it. Events like this show that even audited DeFi platforms can still carry massive operational risks behind the scenes.
