May 27 vsdCRV Mint on Arbitrum: Trillions Created, But Only ~$91,000 Extracted

The fallout from this week’s huge unauthorized mint of Stake DAO’s vsdCRV token on Arbitrum appears, at least so far, to be far smaller than the headline number suggested. While the attacker created trillions of tokens on paper, on-chain activity and security reports indicate the realized damage was limited, and several DeFi protocols moved quickly to warn users and reduce knock-on risk.

The exploit, disclosed in security reporting on May 27, involved roughly 5.446 trillion newly minted vsdCRV on Arbitrum, a Layer 2 blockchain tied to Ethereum. According to multiple forensic summaries and on-chain data, the attacker was only able to extract about 43.78 ETH, worth roughly $91,000 at the time, before liquidity dried up.

Stake DAO, a decentralized finance protocol known for Curve- and Convex-linked yield strategies, issued a brief public warning as the incident unfolded: “We are aware of the ongoing situation. Please do not interact with vsdCRV.” As of the reporting reflected in available research, that short advisory was the only clearly verified public statement from the protocol on the specific May 27 event. Broader claims circulating in some coverage about the incident being contained or other systems being unaffected were not backed by a fuller official Stake DAO disclosure.

Security researchers and multiple outlets said the exploit appears to have been enabled by a compromised Stake DAO deployer or admin key. According to those reports, the attacker used that access to alter LayerZero OFT peer settings. OFT, or Omnichain Fungible Token, is a cross-chain token standard that depends on trusted links between versions of a token on different networks. If those peer settings are changed by someone with admin privileges, researchers said, an attacker can potentially forge a message that causes unbacked tokens to be minted on another chain.

That distinction matters. Forensic reporting said the attacker appears to have created new, unbacked vsdCRV rather than directly draining user vault balances. Initial on-chain traces reviewed by security monitors did not show direct emptying of Stake DAO user vaults, according to those summaries.

The incident still triggered a wider defensive response because of how deeply integrated Stake DAO products are with other parts of DeFi. Curve Finance, the decentralized exchange and lending ecosystem closely tied to CRV-based strategies, warned users: “If you have deposits or loans in asdCRV LlamaLend market on Arbitrum – please exit ASAP out of precaution.” Beefy Finance, a yield optimizer that aggregates returns across protocols, also paused a related Arbitrum vault tied to Convex and Stake DAO exposure.

Those moves reflected a familiar DeFi problem: even when an exploit does not directly drain customer deposits, a compromised token can threaten lending markets, collateral positions and vault strategies that depend on it. In this case, post-incident monitoring suggested no further large conversions followed the initial swaps, and some observers described the situation as appearing contained based on the on-chain picture and the market’s thin liquidity. But that remains an observation from external reporting and blockchain data, not a formal declaration from Stake DAO.

For now, the clearest takeaway is the gap between the nominal size of the mint and the actual proceeds extracted. Trillions of unauthorized tokens briefly appeared on Arbitrum, but only a much smaller amount seems to have been turned into usable assets. What remains missing is a detailed official postmortem from Stake DAO explaining exactly what happened and what safeguards, if any, have changed since.