Apparent Infinite‑Mint Exploit Creates 5.4 Trillion vsdCRV on Arbitrum; Attacker Swapped ~43.8 ETH

Security monitors and on-chain data indicated an apparent exploit involving Stake DAO’s vsdCRV token on Arbitrum on Tuesday, with roughly 5.4 trillion tokens minted and at least about 43.78 ETH swapped out and moved to Ethereum.

The clearest on-chain sign of the incident was a sudden supply blowout. Arbiscan’s token page for Arbitrum’s vsdCRV showed the token’s “Max Total Supply” at roughly 5.4467 trillion vsdCRV when checked May 27. Separate from that public blockchain data, security-monitoring and reporting feeds, including PeckShield as cited by Lookonchain, described the activity as an apparent infinite-mint or unlimited-mint exploit. Those reports said the attacker exchanged part of the newly created tokens for about 43.7 to 43.78 ETH and then bridged or transferred that ETH to Ethereum, an amount worth roughly $90,000 to $92,000 at the time.

Several crypto news and monitoring accounts reported that Stake DAO said it was aware of the incident and advised users not to interact with vsdCRV. However, a full primary-source incident post or technical explanation from Stake DAO had not been independently verified by 12:21 UTC.

Stake DAO is a decentralized-finance platform known for “liquid locker” products, which let users hold tradable tokens representing locked governance assets. vsdCRV is the vote-boosted version of Stake DAO’s sdCRV token on Arbitrum and is tied to the Curve ecosystem. That matters because tokens like vsdCRV can be used in liquidity pools and incentive systems across DeFi. If one can be minted without limit, the problem is not just the attacker’s immediate cash-out. It can also disrupt pricing, drain confidence and destabilize markets built around the token.

Some security reporting citing Blockaid said the possible cause may have been a compromised deployer key or misconfigured LayerZero OFT peer or delegate settings. That remains an unconfirmed hypothesis from security monitors, not an established explanation from Stake DAO. LayerZero-style omnichain fungible tokens use cross-chain mint-and-burn mechanics and rely on administrative controls, which is why investigators are focusing on key management and configuration.

The early figures underline two different risks. The confirmed realized proceeds described in the reporting were relatively limited so far, at about 43.78 ETH. But the more serious on-chain event was the apparent creation of trillions of vsdCRV tokens, which points to a breakdown in supply controls for a token connected to broader DeFi infrastructure. In incidents like this, the damage is not measured only by what has already been cashed out, but by how an unlimited-mint event can ripple through pools, prices and user positions tied to the asset.