StakeDAO deployer key was compromised on Arbitrum, allowing an attacker to mint 5.4T fake vsdCRV tokens and extract ~$91K in ETH.
Author: Akshat Thakur
27th May 2026 – An attacker compromised StakeDAO’s deployer private key on Arbitrum today. As a result, 5.4 trillion vsdCRV tokens were forged through a cross-chain message, and the attacker extracted roughly $91,000 in ETH.
High Signal Summary For A Quick Glance
SWISH
@0xSwish
@blockaid_ @StakeDAOHQ It’s all so tiresome…. Just use Chainlink. https://t.co/5N1wxLSKJP
🚨 Blockaid detected an ongoing exploit targeting @StakeDAOHQ on Arbitrum. The attacker just minted over 5.4 trillion vsdCRV and is actively swapping it for ETH. More details in 🧵
03:45 PM·May 27, 2026
HuCk
@_0xHuCk
@blockaid_ @StakeDAOHQ This isn’t the last exploit to happen, many more to come.
🚨 Blockaid detected an ongoing exploit targeting @StakeDAOHQ on Arbitrum. The attacker just minted over 5.4 trillion vsdCRV and is actively swapping it for ETH. More details in 🧵
12:30 PM·May 27, 2026
Cocoahomology
@cocoahomology
@blockaid_ @StakeDAOHQ whose got layerzero's private keys lying around, we need to stop them from bridging back
🚨 Blockaid detected an ongoing exploit targeting @StakeDAOHQ on Arbitrum. The attacker just minted over 5.4 trillion vsdCRV and is actively swapping it for ETH. More details in 🧵
10:45 AM·May 27, 2026
High attention and emotional sentiment detected.
The attack began around 09:17 UTC on Tuesday. Specifically, the attacker called the setPeer function on the vsdCRV OFT contract using the compromised key. This call redirected cross-chain trust from the legitimate Ethereum adapter to a malicious contract.
Within seconds, a forged LayerZero v2 message triggered a mint. In total, 5,446,744,073,709.55 vsdCRV tokens appeared in the attacker’s wallet directly from the zero address.
On-chain security firm Blockaid first flagged the incident at 09:51 UTC. According to Blockaid, the StakeDAO deployer key was the entry point for the entire attack.
vsdCRV is an Omni Fungible Token (OFT) that uses LayerZero v2 for cross-chain transfers. Essentially, the OFT contract trusts a specific “peer” address on the source chain to validate mint messages. The deployer key held admin rights to change this peer address.
The attacker swapped the peer for Ethereum (endpoint ID 30101) to a contract they controlled. Then they sent a forged LayerZero message mimicking the legitimate Ethereum-side adapter. Because the peer had changed, the Arbitrum OFT contract accepted the message and executed the mint.
The StakeDAO exploit involved no smart contract bug. According to Blockaid, this attack relied purely on operational compromise of the admin key. The setPeer transaction confirmed at 09:17:33 UTC. The mint transaction followed just 25 seconds later.
Between 09:17 and 09:43 UTC, the attacker executed roughly 28 swap transactions. These trades ran across Curve, KyberSwap, MetaMask Router, and Enso. In total, the swaps converted portions of the minted vsdCRV into 43.78 ETH, worth approximately $91,000. PeckShield independently verified the swap activity.
Next, the attacker bridged the ETH via Stargate to Ethereum mainnet at 10:04 UTC. The funds landed on Ethereum shortly after and still sit in the attacker’s wallet (0xeF3C054d8F7eD0a7D61c8da56ff55F090577aa25).
Thin liquidity on Arbitrum limited the total damage. Despite minting 5.4 trillion tokens, the attacker could only extract about $91,000 before draining the available pool depth. Notably, no user funds left StakeDAO vaults during this incident.
setPeer() permissions.
0x62d5a59e0d67c0381aad53b201b4a1b8dcd2c833
StakeDAO posted a warning on X at 10:45 UTC: “We are aware of the ongoing situation. Please do not interact with vsdCRV.” According to governance filings and audit records, this marks the protocol’s first security incident.
Meanwhile, Curve Finance issued its own advisory at 13:55 UTC. The team warned: “If you have deposits or loans in asdCRV LlamaLend market on Arbitrum, please exit ASAP out of precaution.”
Curve’s concern centers on oracle stability. Because vsdCRV depegged instantly, oracle feeds used by related Curve markets could become unstable. While no liquidations have occurred so far, the risk remains active.
This StakeDAO exploit is the fourth reported private key compromise in DeFi within roughly two weeks, according to community analysts. Consequently, the pattern highlights a persistent weakness: single-key admin access to critical functions without multisig or timelock protections.
On-chain data shows the attacker funded intermediate wallets via Tornado Cash approximately three days before the exploit. Gas arrived at the attacker’s wallet around 08:52 UTC on May 27. That timeline, roughly 25 minutes before the setPeer call, suggests a planned attack rather than an opportunistic move.
StakeDAO’s total TVL sits at approximately $153 million according to DefiLlama. The Arbitrum portion saw no meaningful TVL change because the attacker minted unbacked tokens instead of draining existing deposits. Similarly, the SDT governance token trades at roughly $0.1194 and shows no material price impact so far.
Timeline of StakeDAO vsdCRV LayerZero Exploit
Wallet 0xeF3C...aa25 receives initial ETH funding, marking the earliest observable precursor activity before the exploit execution.
The compromised deployer key calls setPeer() on the vsdCRV OFT contract, replacing the legitimate LayerZero Ethereum peer with an attacker-controlled address.
A forged LayerZero message mints 5,446,744,073,709.551615 vsdCRV directly from the zero address into the attacker wallet, massively inflating supply instantly.
Roughly 28 swaps occur across Curve, KyberSwap, MetaMask Router, and Enso. Thin liquidity significantly limits extraction despite enormous minted supply.
Blockaid publicly warns about the ongoing incident and highlights the abnormal 5.4T vsdCRV mint.
Attacker transfers 43.780996 ETH through Stargate/LayerZero to Ethereum mainnet, consolidating stolen proceeds into another controlled wallet.
StakeDAO acknowledges the incident publicly and warns users not to interact with vsdCRV while investigations begin.
Curve Finance publishes precautionary alerts concerning possible oracle impacts on asdCRV-related LlamaLend positions.
No additional swaps or bridges detected. Total realized extraction remains around 43.78 ETH (~$91K). Damage appears limited to the compromised deployer key and worthless inflated vsdCRV supply.
Neither StakeDAO nor any researcher has disclosed how the key compromise occurred. Possible vectors include phishing, malware, or insider access. Since the event is less than eight hours old, no governance proposals or code changes related to the incident response have appeared yet.
Whether the attacker plans additional swaps or will target other contracts linked to the same deployer key also remains unclear. Fund recovery appears unlikely because the proceeds already sit on Ethereum in the attacker’s wallet.
For any protocol using LayerZero OFT contracts with single-key admin access to setPeer, this StakeDAO exploit serves as a direct warning. The attack vector requires no smart contract vulnerability. Protocols should consider migrating admin controls to multisig wallets or adding timelocks to sensitive configuration functions.
This is not financial advice. Always do your own research before interacting with DeFi protocols.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
StakeDAO Exploit Mints 5.4T vsdCRV on Arbitrum
GLOVE Exploit Drains $200K From WUSD.fi via Sybil Attack
TrapDoor Crypto Stealer Hits npm, PyPI, and Crates.io
StablR Exploit Drains $2.8M After Multisig Key Compromise
StakeDAO Exploit Mints 5.4T vsdCRV on Arbitrum
GLOVE Exploit Drains $200K From WUSD.fi via Sybil Attack
TrapDoor Crypto Stealer Hits npm, PyPI, and Crates.io
StablR Exploit Drains $2.8M After Multisig Key Compromise
