TL;DR:
- An attacker illicitly minted 5.44 trillion vsdCRV yield tokens on the Arbitrum scalability network.
- Blockchain security firms confirmed the initial diversion of funds to Ethereum for an estimated value of 43.78 ETH.
- The technical incident is attributed to the direct compromise of a Stake DAO deployer private key, ruling out smart contract flaws.
The infrastructure of the decentralized finance platform Stake DAO was attacked. During Wednesday’s session, the unauthorized issuance of 5.4 trillion vsdCRV tokens was detected on the Arbitrum network. The incident was confirmed by the protocol’s development team through their official channels; they also urged users to avoid any type of interaction with the affected asset.
The origin of the incident on Arbitrum bridges
Technical reports from security firm Blockaid reveal that the address linked to the cyberattack began the massive swapping of the vsdCRV token for the cryptocurrency Ether (ETH). On-chain analysis from PeckShield revealed that the attacker managed to convert a fraction of the minted assets into 43.78 ETH, equivalent to about $91,000, funds that were subsequently sent to the Ethereum mainnet via decentralized bridges.
🚨 Blockaid detected an ongoing exploit targeting@StakeDAOHQ on Arbitrum.
The attacker just minted over 5.4 trillion vsdCRV and is actively swapping it for ETH.
More details in 🧵
— Blockaid (@blockaid_) May 27, 2026
The vsdCRV asset functions within the platform as a yield derivative token directly linked to the Curve Finance liquidity ecosystem. Reports from audit firm BlockSec indicate that the attack vector did not originate from a vulnerability in the smart contracts’ computer code. Preliminary investigations by BlockSec suggest that the attacker gained direct access to the Stake DAO deployer private key on Arbitrum.
By controlling this privileged credential, the attacker altered the cross-chain bridge configuration to link a malicious contract under their direct control on the Ethereum network. The co-founder of security firm Sodot, Shalev Keren, said that the malicious contract sent a validation message using LayerZero’s interoperability technology. This action deceived the core system and triggered the unconditional minting of 5.44 trillion vsdCRV to the attacker’s wallet address.
Structural vulnerabilities in the DeFi sector
This new exploit occurs in a quarter marked by a substantial increase in hacks targeting DeFi protocols. Cybersecurity sector estimates indicate that cumulative losses from exploits exceed $600 million since April 2026, a trend that analysts associate with the use of advanced artificial intelligence tools by attackers.
The absence of a multi-signature (multisig) scheme or a time-delay mechanism (timelock) allowed for the immediate execution of the exploit. Data from Sodot shows that just twenty-five seconds elapsed between the modification of the privileged configuration and the minting of the funds on the blockchain. This operational pattern shares structural similarities with the attack suffered by the Wasabi protocol last month.
The Stake DAO team is keeping minting operations temporarily suspended while coordinating with infrastructure providers and blockchain forensic analysis firms to track the movement of the remaining funds. The deployment of a patched contract on Arbitrum is expected once the full revocation of the compromised key’s functions is concluded.
