StakeDAO, a prominent yield optimization protocol, has become the latest victim of a significant security breach on the Arbitrum network. An attacker exploited a compromised deployer private key to mint approximately 5.446 trillion vsdCRV tokens, later swapping a portion for around 43.78 ETH (roughly $91,000) and bridging the funds to Ethereum.
The incident was first flagged by blockchain security platform Blockaid, which detected the unauthorized activity in real time. According to on-chain records, the attacker gained access to the StakeDAO deployer address 0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62. They then reconfigured the LayerZero v2 OFT peer setting on the vsdCRV contract, redirecting it to a malicious contract under their control. This allowed the forging of a cross-chain message that triggered the massive unauthorized mint from the zero address.
🚨 Blockaid detected an ongoing exploit targeting@StakeDAOHQ on Arbitrum.
The attacker just minted over 5.4 trillion vsdCRV and is actively swapping it for ETH.
More details in 🧵
— Blockaid (@blockaid_) May 27, 2026
The attacker quickly moved to liquidate the newly minted tokens through decentralized exchanges before bridging the extracted ETH to the Ethereum mainnet. The primary attacker wallet on Ethereum is reported as 0xeF3C054d8F7eD0a7D61c8da56ff55F090577aa25.
Root Cause Appears to Be Key Compromise
Investigations indicate the breach stemmed from a private key compromise rather than a vulnerability in the core smart contract code. The deployer address had reportedly been operating as a hot key in automated infrastructure, which may have increased its exposure.
StakeDAO has advised users to avoid interacting with vsdCRV tokens for the time being. The protocol’s overall Total Value Locked (TVL) stands at approximately $151 million, with only a relatively small portion directly exposed on Arbitrum.
Implications for DeFi Security
This exploit adds to a growing list of incidents in 2026 that highlight persistent challenges around private key management and operational security in decentralized finance. Even projects with strong reputations and multiple audits continue to face risks when critical keys are not properly secured through multisignature setups or cold storage.
Users who have interacted with StakeDAO contracts on Arbitrum are strongly recommended to revoke token approvals as a precautionary step.
This report is compiled independently from publicly available on-chain data and initial disclosures. Further updates are expected once StakeDAO publishes a detailed post-mortem on the incident.
