Blockchain security firm Blockaid has flagged an exploit on StakeDAO's Arbitrum deployment. The attacker used a compromised deployer private key to mint over 5.4 trillion vsdCRV tokens — a staggering amount that dwarfs the token's normal supply. The trick? Manipulating LayerZero's cross-chain messaging protocol to reconfigure the trusted peer for StakeDAO's vsdCRV OFT contract.
Inside the attack
The exploit chain started with a stolen deployer key. That gave the attacker control over StakeDAO's vsdCRV contract on Arbitrum. From there, they altered the contract's "trusted LayerZero peer" setting — essentially telling the bridge to accept messages from an address they controlled. With that in place, they fired off cross-chain messages that minted tokens out of thin air.
Blockaid's researchers caught the activity and flagged it publicly. The firm didn't say whether the funds were already drained or if the minting was halted. But 5.4 trillion vsdCRV is a lot of tokens, and even a fraction of that could wreak havoc on liquidity pools or pricing oracles.
LayerZero's role
LayerZero is a popular interoperability protocol that lets tokens move between blockchains. Projects using its OFT (Omnichain Fungible Token) standard rely on a trusted peer configuration to ensure only authorized parties can send cross-chain messages. In this case, the attacker changed that configuration — which LayerZero itself warns can be a risk if private keys are compromised. The attack didn't break LayerZero's cryptography; it abused the permission system after the key was stolen.
This isn't the first time a cross-chain bridge has been exploited via compromised keys. But the scale here is notable: 5.4 trillion tokens minted in a single go, all because one private key wasn't secured.
What Blockaid found
Blockaid's detection was specific: the reconfiguration of the trusted LayerZero peer for StakeDAO's vsdCRV OFT contract. They identified the on-chain transactions where the peer was changed and the subsequent minting. The firm shared the attack details without naming any specific victim or exchange — just the technical breakdown. It's a reminder that smart contract audits aren't enough if off-chain key management is sloppy.
Unanswered questions
The biggest open question: did the attacker manage to convert those minted tokens into real value? With 5.4 trillion vsdCRV, even a tiny liquidity pool could be drained if the tokens were swapped. But Blockaid's report doesn't say. Also unclear is whether StakeDAO had any multisig or timelock protections on the deployer key. The exploit happened on Arbitrum, one of the largest Ethereum layer-2 networks. The next step for users is to watch for any announcements from StakeDAO about compensation or a post-mortem. So far, silence.
