Stake DAO confirmed that no mainnet funds of Ethereum were lost during the Stake DAO exploit, where 5.4 trillion vsdCRV tokens were minted on Arbitrum. Contributors acquired the token support and closed the bridge before assets could be returned to the mainnet.
In a post on X, the protocol issued its first detailed update about 24 hours after the incident. It attributed this attack to a stolen deployer private key.
According to the update, an unauthorized party minted vsdCRV on Arbitrum. Then the team gained the backing of Ethereum, and the vsdCRV bridge was closed.
Also Read: CROPS AI: Dominate Multi-Hardware LLMs in 2026
Stake DAO Exploit Contained After Bridge Closure
After that move, the exploit of the Stake DAO was confined to Arbitrum. The Ethereum to Arbitrum bridge has been permanently closed. The Arbitrum asdCRV Llamalend market was impacted. Stake DAO confirmed the market being sunset.
It urged crvUSD depositors on that market to transfer funds to other Llamalend markets. Curve Finance had also urged users to exit Llamalend positions involving asdCRV.
There were no impacts on several core products. Boosted yields, Liquid Lockers, Votemarket, and Stake DAO lending on Morpho continue to work as well.
On May 27, the Stake DAO exploit was first identified by Blockaid. Blockaid attributed the problem to an update on the LayerZero v2 OFT peer’s token contract for the vsdCRV token.
The attacker caused a redirection of trust from the legitimate Ethereum side adapter to the malicious contract. This forged cross-chain message, in turn, resulted in the minting of 5.4 trillion vsdCRV on Arbitrum.
The substantial mint size was not associated with a comparable loss. The attacker has withdrawn approximately 43.78 ETH, which is equivalent to approximately $91,000.
Low Liquidity Limits Stake DAO Exploit Losses
Onchain analyst EmberCN noted that vsdCRV pools had only tens of thousands of dollars in liquidity. This rendered the bulk of the minted stock unsaleable.
The focus of Stake DAO’s update was on containment. The backing on the mainnet was done before the attacker could bridge the exploit back to Ethereum.
That action determined the results of the Stake DAO exploit. This also prevented the minting or transfer of vsdCRV on the bridge.
The protocol also verified the continued law enforcement efforts. Security partners are engaged, though Stake DAO didn’t specify which firms or agencies are involved.
The update was a change from the first notice on May 27. That only confirmed the problem and encouraged people not to engage with vsdCRV.
Stake DAO’s total value locked stands at about $151 million. A very small fraction was directly exposed on Arbitrum.
The Stake DAO exploit has brought deployer key risk back to the forefront. It also questioned the unlimited minting permissions in cross-chain token systems.
The protocol’s stance is clear at the moment. Mainnet funds were not compromised, and the damage on the Arbitrum side is still being investigated.
Also Read: Kraken Vault: Secure BTC Yield Soars 2026
