Arbitrum Exploit Highlights Cross-Chain Admin-Key Security Risks

A recent exploit has brought attention to the importance of operational security in cross-chain decentralized finance (DeFi) systems. A compromised deployer key allegedly allowed an attacker to forge LayerZero mint messages and create trillions of vsdCRV tokens on Arbitrum.

According to a report by Blockaid, the attacker modified the trusted LayerZero peer tied to StakeDAO's vsdCRV OFT contract using the compromised deployer key. This change redirected trust away from the legitimate Ethereum-side adapter toward an attacker-controlled contract.

The attacker then sent a forged cross-chain message that minted trillions of vsdCRV tokens from a null address. Independent on-chain investigators later reconstructed the exploit timeline, tracing the attacker's preparation wallets, bridge activity, and token dumping transactions across Arbitrum and Ethereum.