Arbitrum Security Council Freezes 30,766 ETH Linked to Kelp DAO Exploit

Arbitrum’s Security Council took emergency action to freeze 30,766 ETH tied to the Kelp DAO exploit, moving the funds into “an intermediary frozen wallet” that “can only be accessed through further Arbitrum governance action.”

“An incident report published by Llamarisk to the Aave forum explains that a bridge exploit targeting KelpDAO’s Layerzero V2 rsETH route on Saturday allowed an attacker to extract 116,500 rsETH from Ethereum’s OFT adapter without burning any tokens on the source chain”

Bitcoin News

CoinDesk says the council “moved 30,766 ETH to a frozen intermediary wallet, accessible only via further governance action,” and adds that the transfer completed at “11:26 p.m. ET on April 20.”

Bitcoin News

CoinCentral similarly reports that “Arbitrum’s Security Council took emergency action on Monday night, freezing 30,766 ETH worth approximately $71 million,” and that the stolen ether “is no longer accessible to the address that originally held it.”

Crypto Briefing frames the same move as a response “two days after KelpDAO… was drained of approximately $292 million on April 18,” and says the ETH “can no longer be accessed at the original address.”

Cointelegraph describes the council as a “12-member body elected by the Arbitrum community” that took “emergency action” to freeze “30,766 Ether (ETH)” and says the ETH was moved to “an intermediary frozen wallet” and “can only be moved by further action by Arbitrum governance.”

Across the accounts, the freeze is presented as a targeted intervention that does not disrupt the broader network, with CoinDesk saying it was “without affecting other Arbitrum users or applications,” and CoinCentral stating “the freeze did not affect any other users or applications on its network.”

CoinDesk also ties the frozen amount to the scale of the exploit, saying the move “recovers roughly a quarter of the stolen assets” after attackers drained “116,500 rsETH” in a “$292 million rsETH exploit.”

The freeze came after a KelpDAO bridge exploit that multiple outlets place on Saturday, April 19, with some accounts anchoring the hack to April 18.

CoinDesk says the freeze was linked to “Saturday's $292 million rsETH exploit” and that attackers “pulled 116,500 rsETH by exploiting compromised verifier infrastructure.”

CoinCentral

CoinCentral likewise places the bridge exploit on “Saturday, April 19,” and says attackers “drained 116,500 rsETH by taking advantage of compromised verifier infrastructure,” estimating “total losses from the hack are estimated at around $292 to $293 million.”

Crypto Briefing describes the incident as occurring “two days after KelpDAO… was drained of approximately $292 million on April 18,” and says the attacker “targeted a vulnerability in LayerZero’s cross-chain messaging system.”

Crypto Briefing also quantifies the token impact, saying the breach allowed the attacker to siphon “116,500 rsETH tokens, roughly 18.5% of the circulating supply,” and that the circulating supply was “around 630,000 tokens before the attack.”

Cointelegraph and CoinDesk both connect the exploit to LayerZero’s bridge and to a suspected North Korea-linked actor, with CoinCentral reporting that “LayerZero… said with preliminary confidence that North Korea’s Lazarus Group was behind the attack.”

The fallout spread into lending markets, with Crypto Briefing stating that rsETH was “accepted as collateral on Aave, Compound, and Euler,” and that “Aave’s total value locked fell from roughly $15 billion to $8.4 billion in 48 hours.”

Arbitrum’s Security Council framed the freeze as both a security measure and a decision made through internal deliberation, while critics questioned whether such governance intervention undermines decentralization.

“Arbitrum freezes $71 million in ether tied to Kelp DAO exploit The layer-2 network's security council moved 30,766 ETH to a frozen intermediary wallet, accessible only via further governance action”

CoinDesk

CoinDesk says the council “acted with input from law enforcement as to the exploiter’s identity” and executed the freeze “without impacting any Arbitrum users or applications.”

CoinCentral adds that the council is “a 12-member body elected by the Arbitrum community,” and says “Nine of the 12 members voted in favor of freezing the funds.”

CoinCentral quotes council member Griff Green saying the group “did not make this decision lightly,” and that there were “countless hours of debates, technical, practical, ethical and political.”

Cointelegraph similarly reports that Green posted on X that the group “did not make this decision lightly, there were countless hours of debates, technical, practical, ethical and political,” and that “nine members of the 12-member council voted to freeze the funds.”

ForkLog includes a longer quotation from Green’s X post, stating, “I’m a member of the Security Council & I can tell you we did not make this decision lightly, there were countless hours of debates, technical, practical, ethical and political.”

ForkLog also records community pushback, including a user question: “so a council can just freeze 30k eth and we’re still calling this decentralized?”

The freeze also sharpened a dispute between KelpDAO and LayerZero over responsibility for the exploit and the security design used for the bridge.

CoinDesk says the freeze “intensifies the dispute between Kelp and bridge provider LayerZero over responsibility for the hack and how remaining losses should be shared.”

Coinpedia

Crypto.news reports that LayerZero criticized KelpDAO’s use of “a 1-of-1 decentralized verified network configuration,” arguing it created “a single point of failure without independent validation.”

Crypto.news quotes LayerZero’s position that Kelp “chose to utilize a 1/1 DVN configuration,” while Kelp disputed that claim and said “The 1-of-1 DVN setup is the configuration documented in LayerZero’s documentation and shipped as the default for any new OFT deployment.”

Coinpedia similarly states that “LayerZero blamed Kelp’s team” and that “The 1/1 setup is described in LayerZero’s documentation and is the default for any new OFT deployment,” adding that “We have been running on their infrastructure since January 2024 and have stayed in contact throughout.”

CoinCentral also notes that “The freeze also sharpens an existing dispute between Kelp DAO and LayerZero over who is responsible for the hack,” and says Kelp DAO is “coordinating with ecosystem partners on a recovery fund and evaluating next steps on loss socialization and legal coordination.”

CoinDesk says the freeze leaves Kelp with “a partial recovery option,” while LayerZero “has not publicly commented on the Arbitrum freeze.”

Beyond the immediate freeze, the sources lay out how the Kelp exploit’s losses could propagate through Aave and other lending markets, with multiple scenarios tied to how rsETH holders absorb deficits.

“Ethereum layer-2 blockchain Arbitrum on Monday froze more than 30,000 Ether worth about $71”

Cointelegraph

Crypto Briefing says rsETH was accepted as collateral on Aave, Compound, and Euler, and that “When the token’s price collapsed after the exploit, lending markets seized up,” while also reporting that “Withdrawal requests topped $5.4 billion within four hours.”

Cointelegraph

Bitcoin News states that Llamarisk estimates “bad debt between $123.7 million to $230.1 million across 7 affected markets, depending on how Kelp socializes losses.”

ForkLog quotes LlamaRisk’s scenario framing, stating “Then Aave’s shortfall would be about $123.7m, and rsETH could fall 15% against the leading altcoin,” and also describing a second scenario where “bad debt would reach $230.1m.”

Bitcoin News adds operational details, saying the attack occurred “at 17:35 UTC in Ethereum block 24,908,285,” and that the adapter balance fell “from 116,723 rsETH to 223 rsETH in a single block.”

It also reports that “The Protocol Guardian began freezing all rsETH and wrsETH reserves across all Aave V3 deployments at approximately 19:00 UTC on April 18,” and that “The Protocol Guardian also froze WETH on Core, Prime, Arbitrum, Base, Mantle, and Linea at approximately 02:00 UTC on April 20.”

CoinCentral and Cointelegraph emphasize that the frozen ETH will remain locked pending governance, with Cointelegraph saying it “can only be moved by further action by Arbitrum governance,” and CoinCentral saying “The funds will remain locked unless governance approves any further steps.”