A private key. That is all it took. On-chain security firm Blockaid flagged an active exploit targeting Stake DAO on Arbitrum on May 27, 2026. The attacker had already minted over 5.4 trillion vsdCRV tokens and was actively converting them into ETH as the alert went out.
The scale of the mint is hard to place in normal context. 5,446,744,073,709 tokens created from nothing, backed by a stolen key.
The Key Was Already Gone Before Anyone Noticed
The Stake DAO deployer wallet, address 0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62, had been compromised. The attacker used it to reach into the vsdCRV token contract and reconfigure its LayerZero v2 OFT peer settings.
What that means in plain terms: the legitimate trust path from Arbitrum to Ethereum was cut. The attacker replaced it with a contract they controlled.
As Blockaid posted on X, the malicious peer deployment was executed on Ethereum first, with the cross-chain mint following shortly after on Arbitrum. The full transaction trail is on-chain. The malicious peer deployment sits on Etherscan, the cross-chain mint on Etherscan, and the Arbitrum-side mint transaction on Arbiscan.
Three steps. Reconfigure. Forge. Mint.
Funds Already Moving Off Arbitrum
By the time follow-up details emerged, the attacker had not paused.
As Coinminutes posted on X, roughly 43.78 ETH, worth around $91,000, had already been swapped and bridged to Ethereum mainnet. That figure was moving at the time of writing.
Stake DAO acknowledged the situation and told users to stay away from vsdCRV entirely.
“We are aware of the ongoing situation. Please do not interact with vsdCRV.” — As StakeDAO posted on X
The warning came after Blockaid had already made the attack public. Stake DAO has not yet issued a detailed post-mortem or disclosed whether the key compromise was isolated to this contract or touched other deployer functions.
LlamaLend Users Got a Separate Warning
The exploit did not stop at vsdCRV holders.
Curve Finance came out with its own alert directed at users holding deposits or open loans in the asdCRV LlamaLend market on Arbitrum. The concern is not that the market was directly drained. The concern is what happens next to its price oracle.
As Curve Finance posted on X, the oracle feeding that market can become unstable because of how the vsdCRV exploit has distorted token pricing in connected pools. An unstable oracle triggers unexpected liquidations, even on positions that looked healthy before the attack.
Curve called it a precautionary exit. That framing does not make it optional for anyone with real money in those positions.
The broader DeFi chain reaction here is the part other coverage has mostly skipped. An Arbitrum LP sitting in an asdCRV position right now faces liquidation risk that has nothing to do with anything they did wrong. The attacker’s minted tokens polluted the pricing environment for an entirely separate protocol.
LayerZero’s Peer Architecture Under Pressure Again
This is not the first time LayerZero’s cross-chain trust model has come under scrutiny after a key-related incident.
As Blockaid detailed on X, the setPeer transaction on Arbiscan was the moment the attacker locked in the redirect before minting. That three-step sequence — deploy malicious contract, set peer, mint cross-chain — was carried out cleanly. No obvious on-chain red flags at each individual step. Only the full pattern together revealed the attack.
LayerZero v2’s OFT architecture lets protocols configure which contracts are trusted on each chain. That configurability is also its attack surface when the deployer key is gone.
A named reaction came fast. As ChainlinkOnly posted on X, the incident renewed criticism around key management practices in cross-chain infrastructure, with pointed remarks about the risk of deployer key exposure in protocols relying on LayerZero.
Stake DAO has not publicly confirmed whether liquidity has been fully drained from connected pools or what recovery steps are planned. Blockaid’s monitoring remains active.
