StakeDAO: Someone Minted 5.4 Trillion Tokens and Got $91K

On paper, the attacker had $763 billion worth of tokens. In practice, they extracted $91,000. The gap between those two numbers is the whole story.

StakeDAO's attacker printed 5.4 trillion vsdCRV tokens and walked away with $91K. The rest was worthless paper.

On May 27, 2026, someone became a trillionaire for about 25 seconds.

The number is real: 5,446,744,073,709 vsdCRV tokens minted to a single attacker wallet on Arbitrum. At the prevailing token price, that is approximately $763 billion on paper - more than the GDP of Switzerland, more than the market cap of most publicly traded companies on Earth.

The actual amount the attacker walked away with: $91,000.

That gap - between what exists on paper and what can be extracted from reality - is what defines this hack. And understanding it requires knowing what vsdCRV actually is.

vsdCRV is a token in the Curve Finance universe. Curve is one of DeFi's oldest and most important trading platforms, specializing in swapping stablecoins. StakeDAO is a platform that lets users stake assets to earn yield, with many of its products built around Curve. vsdCRV is StakeDAO's vote-boosted version of sdCRV - a derivative token used in automated yield strategies. It has a real function and real value, but its market is small. The pool of people willing to buy it has limits. Those limits mattered enormously on May 27.

The attacker stole StakeDAO's deployer private key - the master account that had administrative control over the vsdCRV token contract on Arbitrum. They used that key to do something subtle but devastating: they changed the LayerZero configuration.

LayerZero is a system that allows blockchains to talk to each other. StakeDAO's vsdCRV contract used LayerZero to validate instructions coming from Ethereum. The attacker changed the configuration to point not at the legitimate StakeDAO adapter on Ethereum, but at a contract the attacker controlled.

Twenty-five seconds later, the attacker sent a fake instruction through that contract. The Arbitrum-side vsdCRV token received the message, validated it against the new - malicious - configuration, and minted 5.4 trillion tokens to the attacker's wallet.

The code worked exactly as designed. The design had been compromised.

Then came the exit problem. The attacker needed to convert 5.4 trillion tokens into something they could actually spend. They tried. They systematically worked through available liquidity: exchanging batches of approximately 963,820 vsdCRV on Curve for CRV tokens, then moving to KyberSwap for ETH. They extracted what they could from every pool.

After all that, they had 43.78 ETH. Worth about $91,170. They bridged it to Ethereum mainnet and disappeared.

The remaining trillions of vsdCRV were worthless. No liquidity left to exit into.

The ripple effects were real even if the extracted funds were not. Curve Finance's lending market flagged a potential issue with its vsdCRV price oracle - the system that tracks the token's value and triggers liquidations if it drops too low. Curve warned that the exploit could destabilize the oracle and cause unexpected liquidations for users who had nothing to do with StakeDAO's deployer key.

Beefy Finance, a yield optimizer with a vault that included vsdCRV-linked assets, paused its Arbitrum Convex CRV/csdCRV/asdCRV vault immediately.

StakeDAO told users to stop interacting with vsdCRV entirely while the investigation continued.

EmberCN, an on-chain analyst, drew the direct comparison to Echo Protocol one week earlier. In that case, the attacker minted 1,000 eBTC worth $76.45 million on paper but could only extract $860,000 due to the same liquidity constraints. Two weeks. Two key compromises. Two protocols printing billions in tokens. Two attackers walking away with a fraction of what they "stole."

The security analyst from TradingView put it plainly: "There is one private key, controlling one privileged configuration function, with no multi-signature and no delay between the configuration change going through and the mint clearing on-chain."

One key. No multisig. No timelock. $763 billion on paper. $91,000 in the bank.

StakeDAO has not confirmed whether the compromised deployer key has been rotated or when affected contracts will be redeployed.