Stake DAO has confirmed that an exploit on Arbitrum let an attacker mint more than 5 trillion vsdCRV tokens, but the mainnet boundary held. The attacker allegedly got control of a privileged deployer key and used it to alter cross-chain messaging, allowing unauthorized minting on Arbitrum.
Reports cite roughly 44 Ether, or about $91,000, extracted as the attacker started swapping the new tokens for Ether. Crucially, Stake DAO says no funds were lost on Ethereum mainnet, and the Arbitrum bridge was closed fast to stem the exploit’s route.
Law enforcement has been contacted and the protocol has emphasized containment—the idea that the damage didn’t jump from Arbitrum to broader Ethereum assets. They specifically called out that Morpho, the decentralized lending protocol tied to Stake DAO exposure, was untouched.
That separation matters for users: lending positions and collateral on Morpho were isolated from the exploited vsdCRV token route on Arbitrum. Stake DAO’s main message is that the breach was serious, but it was not system-wide. Boundaries in the protocol architecture appear to have limited what could have been a much wider impact.