Home / Critical Brief / No. 002
Lemma Critical Brief · No. 002

Stake DAO vsdCRV Unauthorized Mint

LayerZero v2 Trust Source Rewriting via Deployer Key

Pillar 01 · Verifiable Origin Bridge Config Trust Identity & Auth
Incident date
2026-05-27
Published
2026-05-29
Authors
Lemma Critical Team
Related Pack
Pack AIncident Response

TL;DR

On 2026-05-27, 5.4 trillion vsdCRV was unauthorizedly minted on Arbitrum across the cross-chain infrastructure governing the DeFi protocol Stake DAO’s vsdCRV. The attacker compromised the Stake DAO deployer private key and used it to rewrite the vsdCRV trust source under LayerZero v2 — the Ethereum-side trusted source from which vsdCRV on Arbitrum accepts cross-chain messages — to a contract the attacker had themselves deployed. The attacker then sent a forged cross-chain message from their contract to mint 5.4 trillion vsdCRV, swapping a portion to 43.781 ETH (approx. $91K) and bridging it to Ethereum. The Stake DAO team immediately protected the mainnet-side vsdCRV backing assets and paused the vsdCRV bridge, containing impact to Arbitrum.

Incident Overview

  • Impact: 5.4 trillion vsdCRV unauthorizedly minted on Arbitrum. A portion swapped to 43.781 ETH (approx. $91K) and bridged to Ethereum
  • Target protocol: Stake DAO (vsdCRV governance derivative token)
  • Underlying infrastructure: Cross-chain messaging via LayerZero v2
  • Detection: 2026-05-27, real-time detection by Blockaid
  • Compromised asset: The Stake DAO deployer private key
  • Scope: Contained to Arbitrum. Boosted Yields, Liquid Lockers, Votemarket, and Stake DAO lending on Morpho were not affected
  • Ongoing matter: The asdCRV Llamalend market on Arbitrum is being wound down

Timeline

  • 2026-05-27 (early): The attacker uses the Stake DAO deployer private key to rewrite the LayerZero v2 configuration, then sends a forged message that mints 5.4 trillion vsdCRV on Arbitrum
  • 2026-05-27: Blockaid detects the ongoing exploit in real time and publishes the attack flow
  • 2026-05-27: PeckShield Alert analyzes the exfiltration path, including the swap and bridge
  • 2026-05-28: Stake DAO publishes an initial statement. Contributors protect the mainnet-side vsdCRV backing assets and pause the vsdCRV bridge
  • 2026-05-29: The Stake DAO team publishes preliminary investigation results, confirming that impact is contained to Arbitrum and that core protocols including Boosted Yields are not affected. Investigation continues in coordination with law enforcement and security partners

Attack Vector

  1. Initial compromise: The Stake DAO deployer private key is compromised. The exact path was not publicly disclosed at the time of writing
  2. Trust source rewriting: Using the compromised deployer key, the attacker modifies the LayerZero v2 configuration. By design, vsdCRV on Arbitrum trusts only cross-chain messages sent from the legitimate Ethereum-side contract; the attacker rewrites that trusted source pointer to a contract they themselves deployed
  3. Forged messages: The attacker emits forged cross-chain messages from their contract to vsdCRV on Arbitrum
  4. Impact realization: vsdCRV on Arbitrum accepts the forged messages, and 5.4 trillion vsdCRV is unauthorizedly minted. A portion is swapped on DEX to 43.781 ETH (approx. $91K) and bridged to Ethereum
  5. Containment: The Stake DAO team swiftly protects the mainnet-side vsdCRV backing assets and pauses the vsdCRV bridge, containing impact to Arbitrum. The attacker could not seize the backing assets

Structural Analysis

This incident is a representative case of a structure in which, on a cross-chain bridge, the very configuration that anchors trust is left rewritable by a single key. The trusted source pointer for vsdCRV under LayerZero v2 is implemented as config that the contract owner — in this case, the holder of the deployer private key — can modify, and there is no independent verification layer over the config itself. The receiving contract (vsdCRV on Arbitrum) is designed to trust the legitimate sender that the config points to, so once the config was rewritten, the forged messages were accepted exactly as specified.

A same-structure case is the April KelpDAO / rsETH unauthorized unlock (Brief 001). The two incidents compare as follows:

AspectKelpDAO / rsETH (2026-04)Stake DAO (2026-05)
Initial compromiseIntrusion into the LayerZero Labs operations environment (a social-engineering vector is cited)Stake DAO deployer private key
Manipulated layerThe DVN observation layer (the content of RPC responses)The LayerZero v2 trust source configuration itself
Form of tamperingDistorting observed resultsRewriting the trusted source pointer
DVN signing keyNot compromisedNot applicable (the rewrite alone is sufficient)
Bridge defense failure point1-of-1 DVN configurationSingle-key concentration over the trust source pointer
Shared structureCross-chain message trust has a concentration point in config or the observation layer, and that point is controllable by a single entitySame

Both incidents reach the same structure from different vectors. Following the KelpDAO incident, LayerZero Labs named the observation layer an independent category and announced policy changes including the DVN’s refusal of 1-of-1 configurations and a move to 3-of-3 by default. Those defensive measures did not cut off the present incident’s vector, which directly rewrites the LayerZero v2 configuration itself.

The Structural Gap Detection Alone Cannot Close

In this incident, Blockaid detected the attack in real time within minutes, which enabled the Stake DAO team to act quickly on containment (protecting backing assets and pausing the vsdCRV bridge). The detection layer demonstrably worked to limit the spread of damage, and this Brief does not deny the role of detection vendors.

That said, detection does not change what the bridge will accept. Once a forged message reaches vsdCRV on Arbitrum, the bridge accepts it in accordance with its config (the trusted source pointer the attacker rewrote). The structural layer boundary remains: detection cannot stop acceptance itself.

For the purposes of establishing in regulatory filings, administrative proceedings, or litigation that an unauthorized authority was exercised — in cases like this one, where a configuration rewrite was carried out through a legitimate process (LayerZero v2 accepted a config change from the attacker’s key) — an independent layer is required between detection scores and proof. Post-event detection and pre-execution attestation, which attaches independently verifiable evidence to the message itself before the event, are not substitutes but complements; a design that combines both layers to establish the trust boundary is the structural response required (for a more detailed argument on the relationship between detection and pre-execution attestation, see The last layer left in AI-era cyber defense (Lemma, 2026-05)).

Response and Industry Developments

Stake DAO (2026-05-28 to 29):

  • Protected the mainnet-side vsdCRV backing assets, putting them out of reach of the attacker
  • Paused the vsdCRV bridge, containing impact to Arbitrum
  • Confirmed that Boosted Yields, Liquid Lockers, Votemarket, and Stake DAO lending on Morpho were not affected
  • The asdCRV Llamalend market on Arbitrum is being wound down
  • Continuing investigation in coordination with law enforcement and security partners

Industry response:

  • Blockaid: Real-time detection of the ongoing exploit and public disclosure of the attack flow
  • PeckShield Alert: Independent analysis of the swap and bridge paths
  • The naming of the observation layer as an independent category and the strengthening of DVN configurations announced by LayerZero Labs after the KelpDAO incident did not directly cut off the present incident’s vector (direct config rewrite), but they had laid groundwork across the industry for the structural argument that cross-chain trust configurations concentrate around single keys

Lemma’s Analysis

Against the structural gap exposed by this incident (cross-chain message trust configurations have a concentration point in the config layer, and that point is controllable by a single entity), Lemma proposes a design that embeds an independently verifiable cryptographic proof in the cross-chain message itself, so that the verifier can verify message origin independently of the config layer. Even when the config has been rewritten, the proof tells the verifier through a separate channel whether the message came from a legitimate origin or not. For design details see Bridge exploits in 2026: the case for verifiable origin proofs (Lemma, 2026-04); for the reference implementation see verifiable-origin proof sample (GitHub).

Sources

  • Stake DAO official statement (initial) (2026-05-27, Stake DAO official X post) — “We are aware of the ongoing situation. Please do not interact with vsdCRV.” The first acknowledgment. There was no standalone official blog post; X served as the primary statement channel. https://x.com/StakeDAOHQ/status/2059586800255910039
  • Stake DAO official statement (follow-up) (2026-05-28, Stake DAO official X post) — Preliminary investigation; disclosure of the deployer private key compromise; protection of mainnet-side backing assets; pause of the vsdCRV bridge; containment to Arbitrum; confirmation that Boosted Yields, Liquid Lockers, Votemarket, and Stake DAO lending on Morpho were not affected. https://x.com/StakeDAOHQ/status/2059938235724320959
  • Blockaid threat intelligence (real-time detection) (2026-05-27, Blockaid official X post) — Real-time detection of the ongoing exploit; disclosure of the 5.4 trillion vsdCRV mint and the swap to ETH; on-chain evidence of malicious peer deployment, the setPeer call, and the mint transaction. There was no standalone official blog post; X served as the primary statement channel. https://x.com/blockaid_/status/2059573118927049152
  • PeckShield Alert analysis (2026-05-27, PeckShield Alert official X post) — Independent confirmation of the 5.4 trillion vsdCRV mint and the swap to 43.781 ETH (approx. $91K); analysis of the swap path via Curve / KyberSwap and the bridge to Ethereum. There was no standalone official blog post; X served as the primary statement channel. https://x.com/PeckShieldAlert/status/2059578749352640679
Related Briefs
No. 001
KelpDAO / rsETH Unauthorized Unlock — RPC Manipulation Attack on the DVN Observation Layer
Citation

Cite this Brief

Lemma Critical Team. (2026).
"Stake DAO vsdCRV Unauthorized Mint — LayerZero v2 Trust Source Rewriting via Deployer Key".
Lemma Critical Brief No.002. Lemma / FRAME00, Inc.
https://lemma.frame00.com/critical/briefs/002-stakedao-vsdcrv/

About distribution

Lemma Critical Brief is a threat intelligence brief published by Lemma. It is structured analysis of public information — not an audit, assessment, or recommendation directed at any specific organization. For decision-support use, please consult your Lemma Critical contact directly.

Discovery Call ↗ Whitepaper ↗