StakeDAO Hack 2026 — $91K Exploit Analysis

Attacker exploited a compromised StakeDAO deployer private key on Arbitrum, reconfigured the LayerZero v2 OFT peer setting on the vsdCRV contract to redirect to a malicious contract, and forged a cross-chain message triggering a massive unauthorized mint of 5.446 trillion vsdCRV tokens.

Details

Full Description

On July 8, 2026, an attacker exploited a compromised StakeDAO deployer private key on Arbitrum. The attacker reconfigured the LayerZero v2 OFT peer setting on the vsdCRV contract to redirect to a malicious contract, then forged a cross-chain message that triggered a massive unauthorized mint of 5.446 trillion vsdCRV tokens from the zero address. The attacker swapped a portion of the minted tokens for approximately 43.78 ETH (~$91K) and bridged the proceeds to Ethereum. The attack was detected by Blockaid in real time.

Laundering Analysis

Minted vsdCRV swapped for ~43.78 ETH (~$91K) and bridged to Ethereum. No recovery reported at time of writing.

Sources

Transaction Hashes

Related Hacks

Back to Browse