Stake DAO's Arbitrum protocol was hit by an infinite-minting exploit on May 27. The attacker managed to create 5.4 trillion synthetic vsdCRV tokens before the team stopped the breach.
How the attack worked
The exploit targeted the protocol's synthetic token mechanism on Arbitrum, allowing the attacker to mint an enormous supply of vsdCRV tokens. Those tokens are meant to represent locked CRV positions, but the infinite-minting bug let the attacker generate them without backing. The minting spree ran until core contributors noticed abnormal activity.
Containment and response
Stake DAO's core contributors acted quickly after detecting the exploit. They secured the mainnet funds that backed the synthetic tokens, preventing the attacker from draining real assets. The team also shut down the vsdCRV bridge between Arbitrum and Ethereum, cutting off the attacker's ability to move the minted tokens. That move effectively contained the exploit — the attacker couldn't convert the synthetic tokens into anything of value on the mainnet.
What's at stake for users
The affected protocol is part of Stake DAO's Arbitrum deployment, which lets users deposit CRV to earn yields. The vsdCRV token is a synthetic representation of that locked position. With the bridge down, users can't move vsdCRV across chains for now. The team has not announced when the bridge will reopen or how they'll handle the 5.4 trillion tokens that were minted.
Unanswered questions
Stake DAO hasn't disclosed whether the attacker managed to profit before the bridge was cut, or how much was lost in the process of shutting it down. The protocol's core contributors have said they'll share more details after a full review. Users are waiting for a clear timeline on when normal operations will resume.
