Stake DAO was exploited on Arbitrum on May 27, 2026, when an attacker minted over 5.4 trillion vsdCRV by exploiting the token’s cross-chain configuration. Stake DAO has warned users not to interact with vsdCRV, while Curve Finance also recommended that users with deposits or loans in the asdCRV LlamaLend market on Arbitrum withdraw them to mitigate oracle risks. On-chain data shows that the attacker was only able to realize a small fraction of the value into ETH due to limited liquidity.
Exploit Details
On-chain data on Arbitrum shows that the mint transaction occurred at block 467160931 at 09:17:58 UTC on May 27, 2026. The transaction recorded approximately 5.45 trillion vsdCRV being minted from the null address to the wallet 0xeF3C…aa25.
On-chain evidence of the Stake DAO exploit. Source: Arbiscan
This transaction interacted with the LayerZero v2 Executor, indicating that the minting process was related to the cross-chain messaging flow used to create tokens on Arbitrum. The mint transaction’s hash is 0x7489…e5fe5, according to Arbiscan data.
Blockaid stated that they detected an ongoing exploit targeting Stake DAO on Arbitrum, in which the attacker minted over 5.4 trillion vsdCRV and began swapping these tokens into ETH.
According to security tracking sources, including PeckShield, the attacker swapped a portion of the tokens for approximately 43.78 ETH, worth around $91,200 at the time of reporting, and then bridged the assets to Ethereum. This figure reflects the value initially realized by the attacker, not the nominal value of the entire minted vsdCRV supply.
Suspected Root Cause
Blockaid suspects the exploit likely stemmed from the Stake DAO deployer’s private key being compromised. The deployer address mentioned is 0x0007…ff62.
From this access, the attacker is believed to have altered the cross-chain configuration that vsdCRV uses to validate messages via LayerZero. Specifically, Blockaid said the attacker changed the trusted “peer” from a valid adapter on the Ethereum side to a malicious contract deployed by the attacker, and then used that contract to send fake messages to mint tokens on Arbitrum.
Suspected root cause is compromised private key.
Malicious peer deployment: https://t.co/RlJlVYC5xe
Cross-chain mint: https://t.co/NBQdjaTXu0
setPeer #3 (before mint): https://t.co/sq7jrH8tN6…
Mint tx: https://t.co/kH52CmHXGm…— Blockaid (@blockaid_) May 27, 2026
The details published by Blockaid indicate that the incident involved deployer permissions and Stake DAO’s LayerZero OFT configuration, rather than a confirmed vulnerability within the LayerZero core protocol. As of the time of writing, Stake DAO has not published a full post-mortem regarding how the private key was compromised or the scope of the affected contracts.
This context places the incident alongside cross-chain messaging risks that gained attention following the approximately $292 million Kelp DAO/rsETH incident in April 2026, which also involved message flows through LayerZero. The difference is that in the Stake DAO case, the current data focuses on the project’s compromised key and OFT configuration.
Market and User Impact
Immediately following the incident, Stake DAO requested users not to interact with vsdCRV while the issue was being handled. With over 5.4 trillion new tokens minted, the risk lies not only in the dilution of the vsdCRV supply but also in the impact on liquidity pools, oracles, and protocols linked to this token on Arbitrum.
Curve Finance also issued a separate warning for users with deposits or loans in the asdCRV LlamaLend market on Arbitrum. According to Curve, the market was still operating normally at the time of the warning, but the price oracle could become unstable due to the exploit involving vsdCRV, increasing the risk of liquidation for borrowing/debt positions.
If you have deposits or loans in asdCRV LlamaLend market on Arbitrum – please exist ASAP out of precation.
The market is fine right now but its price oracle can become unstable due to the vsdCRV exploit which can cause liquidations. https://t.co/HhvMfzXEe9
— Curve Finance (@CurveFinance) May 27, 2026
Despite the massive amount of tokens minted, the value initially realized by the attacker was only around $91,200, which is much lower than the nominal figure because vsdCRV liquidity was insufficient to absorb the entire pool of new tokens. The final damage still depends on the amount of tokens swapped, the level of impact on related pools, and the remediation measures from Stake DAO.
What Remains Unclear
Stake DAO had not published a full post-mortem at the time the initial warnings were issued. The remaining open questions include how the private key was compromised, the scope of the affected contracts, the recovery status of the cross-chain configuration, and the level of remaining risk to related pools or markets on Arbitrum.
In the short term, users involved with vsdCRV, sdCRV, or markets using related oracles on Arbitrum still need to monitor official announcements from Stake DAO, Curve, and on-chain security entities. The incident also highlights key management risks in DeFi, especially for protocols that still allow deployer or admin keys to alter trust configurations between chains.
Credit: Source link