Stake DAO said an unauthorized party minted vsdCRV on Arbitrum, triggering a security incident that the protocol later described as contained to that network. The official update from Stake DAO was posted on May 28, 2026, and said contributors secured the vsdCRV backing on mainnet, closed the vsdCRV bridge and prevented attacker access to backing funds.
The incident was first flagged publicly by Blockaid on May 27, 2026. Blockaid said it detected an ongoing exploit targeting Stake DAO on Arbitrum, with the attacker minting more than 5.4 trillion vsdCRV and actively swapping the tokens for ETH.
Update on yesterday's incident: preliminary investigation indicates an unauthorised party (attacker) minted vsdCRV on Arbitrum.
Contributors quickly secured the vsdCRV backing on mainnet (no funds seizable by the attacker) and closed the vsdCRV bridge, containing the impact to… https://t.co/Z73Bz9FiAi
— Stake DAO (@StakeDAOHQ) May 28, 2026
Security Firms Point to Deployer-Key and LayerZero Peer Abuse
The technical explanation remains partly attributed to security researchers rather than a full Stake DAO postmortem. Reports citing Blockaid and BlockSec said the attacker appeared to gain control of a Stake DAO-linked deployer key and alter the LayerZero v2 OFT peer configuration for vsdCRV, redirecting cross-chain trust to a malicious contract before a forged message triggered the mint.
That mechanism centers on the setPeer() configuration path used in LayerZero-based omnichain token deployments. In practical terms, the reported issue was administrative-key control over a trusted cross-chain peer, not a confirmed flaw in Stake DAO’s broader product logic or in all of its smart contracts.
The attacker’s realized proceeds were much smaller than the nominal token amount. PeckShield reported on May 27, 2026 that 5.4 trillion vsdCRV had been minted on Arbitrum, and that part of the tokens had been swapped for 43.781 ETH, about $91,170, before being bridged to Ethereum.
Mainnet Backing Secured, Arbitrum Market Being Sunset
Stake DAO said the vsdCRV backing on mainnet was secured and that no backing funds were seizable by the attacker. The protocol also said the vsdCRV bridge was closed, containing the impact to Arbitrum while the investigation continues.
The team also identified parts of the protocol it currently considers unaffected. Stake DAO said Boosted yields, Liquid Lockers, Votemarket and Stake DAO lending on Morpho were not impacted, while the Arbitrum asdCRV LlamaLend market is being sunset and crvUSD depositors were told they can move funds to other LlamaLend markets.
The protocol has not yet published a full postmortem explaining how the deployer key was compromised, whether other privileged configurations were reviewed or what long-term control changes will follow. Stake DAO said law enforcement is ongoing and security partners are involved, but it has not named the agencies or firms assisting the review.
The immediate risk perimeter is narrow but still unresolved. The confirmed facts are the unauthorized vsdCRV mint on Arbitrum, the bridge closure, the secured mainnet backing and the sunsetting of the affected Arbitrum asdCRV market; the final root cause, complete recovery plan and any permanent governance or key-management changes remain pending.