Overview
- Researchers reported that the attacker created roughly 5.4 trillion vsdCRV on Arbitrum and began swapping the fake tokens for ETH, with portions of proceeds already converted and bridged to Ethereum.
- Security firms Blockaid and BlockSec traced the vector to a compromised Stake DAO deployer private key that changed the LayerZero v2 OFT peer for vsdCRV and allowed a forged mint message to execute.
- Stake DAO warned users not to interact with vsdCRV while the exploit remained active and has not published a verified postmortem or an official loss estimate.
- On‑chain tracer PeckShield reported about 43.78 ETH from the swaps was bridged to Ethereum, and analysts warn liquidity pools and sdCRV/vsdCRV holders face material risk from supply dumps and pool imbalance.
- The incident echoes other 2026 attacks that exploited privileged keys and cross‑chain messaging, highlighting the need for multisig deployers, timelocks, hardware key custody, and real‑time transaction validation.