Attacker Mints 5.4T vsdCRV on Arbitrum, Cashes Out $91K

An attacker minted more than 5.4 trillion vsdCRV tokens on the Arbitrum network after a suspected compromise of a StakeDAO deployer key. The attacker swapped part of the supply for 43.7 ETH, roughly $91,000 at the time, and bridged those funds to Ethereum. The majority of the minted tokens remained illiquid on Arbitrum.

Blockchain security firm PeckShield reported the swap and bridge activity. An on-chain analyst identified that about 16.83 million vsdCRV were exchanged for the ETH. The analyst estimated the full 5.4 trillion supply would equal about $763 billion on paper, a figure that does not reflect realized gains or confirmed losses for StakeDAO.

Shalev Keren, chief product officer and co-founder of crypto key-management firm Sodot, described how a single deployer key on Arbitrum was used to repoint a vsdCRV cross-chain bridge configuration to an attacker-controlled contract on Ethereum. About 25 seconds later that contract sent a LayerZero message back to Arbitrum, which triggered the legitimate Arbitrum token contract to mint the large supply to the attacker. Keren described the incident as an operational key issue rather than a smart contract vulnerability. “There is no smart contract bug here and no flaw in LayerZero,” he wrote. He noted the configuration function was controlled by a single private key without multi-signature protection or a delay between change and execution.

StakeDAO acknowledged the incident and warned users not to interact with vsdCRV. The project has not confirmed the full extent of any losses or provided details on recovery steps or key rotation.

The event highlights the gap between large nominal token mints and extractable value: thin liquidity in vsdCRV markets limited the attacker to converting a small fraction of the minted supply into ETH.

Security firms and analysts are monitoring related contracts, bridge configurations and any movement of the bridged ETH.