Key Highlights
- Stake DAO lost about $91,000 after an attacker minted trillions of unbacked vsdCRV tokens on Arbitrum.
- The exploit stemmed from a compromised deployer account that retained owner privileges for over two years.
- Around 43.8 ETH was stolen and later routed through Tornado Cash after bridging to Ethereum.
Stake DAO has published a detailed post-mortem report on a security incident that occurred on May 27, 2026, involving its vsdCRV token on Arbitrum. The organization said it has filed a criminal complaint with Swiss authorities and is cooperating with law enforcement while preserving evidence.
According to the post-mortem report, the attack resulted in the unauthorized minting of unbacked vsdCRV and the theft of approximately 43.8 ETH (roughly $91,000 at the time). The breach occurred after a deployer account that retained owner privileges on the vsdCRV LayerZero OFT contract on Arbitrum was compromised.
The attacker used this access to change the contract’s trusted peer to a malicious address, enabling the forgery of a cross-chain message. Within 25 seconds, the contract minted over 5.44 trillion vsdCRV for the attacker.
The attacker then swapped portions of the forged tokens through the Curve pool on Arbitrum, draining around 321,143 CRV and 7.5 ETH. These proceeds were converted to approximately 43.8 ETH, bridged to the Ethereum mainnet via Stargate, and later deposited into Tornado Cash in multiple transactions on May 31.
Incomplete ownership handover identified as a root cause
Stake DAO emphasized that this incident was not a smart contract vulnerability. The contracts functioned as designed once the attacker obtained the owner key. The root cause was an incomplete ownership handover during deployment.
The deployer EOA retained owner rights on the Arbitrum OFT contract since March 2024, a period of over two years, instead of transferring control to the governance multisig. The project noted that its deployment practices treated deployer keys as temporary, but this step was not enforced.
The same account had accumulated residual privileged roles across roughly 120 contracts on multiple chains, most of which were deprecated or unused.
Security measures following the attack
The legitimate backing for vsdCRV, approximately 1.33 million sdCRV staked on Ethereum, was secured to the governance safe within 47 minutes of the forged mint. According to the report, this limited losses on the backing side to under 10,000 sdCRV. The minting path was closed the same day, ownership was transferred to the governance multisig, and all residual roles held by the compromised account were reviewed and reclaimed.
Stake DAO also took proactive steps to protect related contracts, including the asdCRV OFTs, and coordinated with Curve Emergency DAO and LlamaRisk to safeguard the associated LlamaLend market.
No additional losses occurred in those areas. The Association has indicated it will propose a compensation plan for eligible affected users. Participation will be voluntary and subject to eligibility verification, sanctions screening, and legal requirements. Details are expected in a future communication.
Second security event for Stake DAO
This incident marks the second security event for Stake DAO in 2026, following a Votemarket oracle issue in March. While neither incident directly affected core protocol contracts or user deposits, the organization acknowledged the need to improve operational security practices. The investigation into how the deployer key was compromised remains ongoing.
The post-mortem provides extensive technical details, timelines, transaction data, and contract addresses for transparency. However, certain information has been withheld to protect the ongoing investigation.
As of the report’s publication, the vsdCRV OFT on Arbitrum has been deprecated, and the forged supply holds no redemption value.
Also Read: Three Breach Vectors, 447M Tokens: Humanity Protocol Details $H Exploit
