An attacker has minted 5.4 trillion vsdCRV tokens through an exploit that remains active on Stake DAO's Arbitrum protocol. The breach was detected as it unfolded, with no immediate fix deployed as of press time.
Scale of the minting
The sheer volume of tokens created — 5.4 trillion vsdCRV — dwarfs typical transaction flows on the platform. vsdCRV is a liquid staking derivative tied to Curve's CRV token, used within Stake DAO's yield-optimization products. The attacker appears to have exploited a vulnerability in the smart contract logic on Arbitrum, the layer-2 network where Stake DAO operates.
Details of the exploit mechanism have not been publicly confirmed by the team. Observers noted abnormal minting activity on-chain, with the attacker repeatedly generating tokens far beyond any legitimate supply cap.
Protocol's response
Stake DAO has not issued a formal statement or acknowledged the exploit through its official channels. Users of the protocol on Arbitrum face uncertainty; funds deposited in affected vaults may be at risk if the attacker can extract value from the newly minted tokens.
The exploit is ongoing. Blockchain security firms have flagged the incident, but no pause or emergency stop has been triggered on the smart contracts. This leaves the attacker free to continue minting or potentially convert the tokens into other assets.
What's at stake
VsdCRK is used within Stake DAO's ecosystem to earn yield from Curve liquidity pools. An uncontrolled minting event can dilute existing holders and destabilize the token's peg. The 5.4 trillion figure — if fully leveraged — could swamp the available liquidity on Arbitrum.
Stake DAO has not disclosed whether the attacker has already moved the tokens or cashed out. On-chain data shows the minting addresses remain active.
The incident adds to a string of DeFi exploits targeting Arbitrum protocols this year. No arrests or regulatory actions have been announced.
