Image credit: Unsplash
StakeDAO suffered a token-minting exploit on Arbitrum after an attacker created about 5.4 trillion vsdCRV, but thin liquidity limited the realized haul to roughly 43.8 ETH, or about $91,000.
Security firms Blockaid and PeckShield flagged the incident on May 27. StakeDAO warned users not to interact with vsdCRV while the issue was being handled.
Compromised Key Changed LayerZero Routing
Early analysis points to a compromised StakeDAO deployer key rather than a flaw in Arbitrum itself. Blockaid said the attacker altered the LayerZero v2 OFT peer configuration tied to vsdCRV. That redirected trust from the legitimate Ethereum-side adapter to a malicious contract.
The attacker then sent a forged cross-chain message back to Arbitrum and minted trillions of new vsdCRV tokens. The attack shows how privileged access can break cross-chain token systems even when the underlying chain is not compromised.
5.4T VsdCRV Mint Netted Only 3.8 ETH
The exploit created an enormous supply shock on paper. Reports estimated the counterfeit mint at about 4.8 million times the token’s legitimate circulating supply. But the attacker could not cash out most of that amount because vsdCRV liquidity was too thin.
PeckShield said the attacker swapped only part of the mint for about 43.781 ETH before bridging the proceeds to Ethereum. That kept the realized theft far below the nominal token amount, but the fake supply still damaged confidence in vsdCRV’s integrity.
Curve and Beefy Users Faced knock-On Risk
The incident quickly raised concerns across connected DeFi venues. Beefy Finance said the exploit affected its Arbitrum Convex CRV, csdCRV and asdCRV vault. Curve-linked reporting also warned that price oracles tied to asdCRV markets could become unstable after the vsdCRV exploit.
The small cash-out did not remove downstream risk, because connected vaults and oracle-dependent markets could still be affected by distorted vsdCRV pricing.
For StakeDAO, the immediate issue is containing the damage and restoring trust in the wrapped token. For the wider market, the exploit is another reminder that cross-chain systems can fail through key control and trusted-routing changes, not only through visible smart contract bugs.
