Stake DAO, a non-custodial liquid staking platform, became the target of a major exploit on Arbitrum after hackers allegedly compromised the protocol’s deployer private key, enabling the minting of more than 5.4 trillion vsdCRV tokens through a manipulated cross-chain messaging infrastructure, according to security firm Blockaid.

🚨 Blockaid detected an ongoing exploit targeting@StakeDAOHQ on Arbitrum.

The attacker just minted over 5.4 trillion vsdCRV and is actively swapping it for ETH.

More details in 🧵

— Blockaid (@blockaid_) May 27, 2026

Advertisement

Investigators said the attacker took control of the Stake DAO deployer address and altered the LayerZero v2 OFT peer configuration linked to the vsdCRV token contract.

By redirecting trust from the legitimate Ethereum-side adapter to an attacker-controlled malicious contract, the hacker was able to send a forged cross-chain message that generated roughly 5.4 trillion new vsdCRV tokens, Blockaid explained.

Despite the exploit generating a nominal value estimated at $763 billion, the attacker struggled to convert the tokens into actual cash because of severely limited liquidity in vsdCRV markets.

On-chain analyst EmberCN reported that only 16.83 million tokens were exchanged for about 43.7 ETH, or roughly $91,000, before DEX liquidity dried up.

Stake DAO said that they were aware of the situation and warned users not to interact with vsdCRV.

We are aware of the ongoing situation.
Please do not interact with vsdCRV. https://t.co/3wZhMo52r6

— Stake DAO (@StakeDAOHQ) May 27, 2026