Stake DAO Hit by Arbitrum Exploit; 5.44 Trillion vsdCRV Illegally Minted

A security breach on Arbitrum involving Stake DAO led to the unauthorized minting of a massive amount of vsdCRV, according to CoinDesk. Disclosures indicate the attacker likely gained access to the protocol deployer's private key, then altered the LayerZero v2 endpoint settings used for vsdCRV crosschain messaging. With the endpoint redirected to an attacker-controlled address, the exploiter was able to fabricate crosschain messages and trigger abnormal minting. As a result, roughly 5.44 trillion vsdCRV tokens were minted directly to the attacker's wallet without additional restrictions. The activity did not rely on buying tokens in public markets; instead, it exploited protocol permissions and crosschain message verification to create supply that should not exist. Blockchain security firm Blockaid said the attacker has already sold part of the tokens, netting about 43.78 ETH, and bridged the proceeds back to Ethereum mainnet. Some of the minted tokens were also redeemed and transferred to Ethereum, a move that could complicate tracking and potential freezing efforts. The incident centers on Stake DAO's vsdCRV and occurred on the Arbitrum network. Stake DAO said it is investigating how the private key may have been compromised, when the configuration changes were made, and whether any additional contracts or assets were affected. While the investigation continues, users are being urged to revoke related approvals to reduce follow-on risk. The episode underscores a recurring DeFi risk: once privileged keys or crosschain configurations are compromised, fallout can quickly expand beyond a single contract into broader fund flows and liquidity conditions.