Attacker exploited a compromised StakeDAO deployer private key on Arbitrum, reconfigured the LayerZero v2 OFT peer setting on the vsdCRV contract to redirect to a malicious contract, and forged a cross-chain message triggering a massive unauthorized mint of 5.446 trillion vsdCRV tokens.
On July 8, 2026, an attacker exploited a compromised StakeDAO deployer private key on Arbitrum. The attacker reconfigured the LayerZero v2 OFT peer setting on the vsdCRV contract to redirect to a malicious contract, then forged a cross-chain message that triggered a massive unauthorized mint of 5.446 trillion vsdCRV tokens from the zero address. The attacker swapped a portion of the minted tokens for approximately 43.78 ETH (~$91K) and bridged the proceeds to Ethereum. The attack was detected by Blockaid in real time.
Minted vsdCRV swapped for ~43.78 ETH (~$91K) and bridged to Ethereum. No recovery reported at time of writing.
N/A