Arbitrum Security Council Freezes 30,766 ETH Linked to KelpDAO Exploit

Arbitrum froze 30,766 Ether (ETH) worth about $71.2 million held in a wallet connected to the Kelp protocol exploit, moving the assets to “an intermediary frozen wallet” that is “no longer accessible to the address that originally held the funds.”

Cointelegraph reports that Arbitrum’s security council—described as “a 12-member body elected by the Arbitrum community”—took “emergency action” to freeze the 30,766 ETH, and said the ETH “can only be moved by further action by Arbitrum governance.”

@coindesk

ForkLog similarly says the Security Council took “emergency measures” and froze 30,766 ETH being held in an address on Arbitrum One connected to the KelpDAO exploit, with the funds moved to an “interim frozen wallet.”

CoinCentral adds that the freeze was confirmed at 11:26 p.m. ET on April 20 and that “The stolen ether is no longer accessible to the address that originally held it.”

Multiple outlets tie the freeze to the Kelp hack that occurred on Saturday, with Cointelegraph stating Kelp was hacked for at least $293 million through its LayerZero-powered bridge.

Cointelegraph also links the exploit to “bad debt” in interconnected crypto lending markets, saying attackers used stolen Kelp tokens to borrow cryptocurrencies on Aave.

In parallel, CoinDesk frames the response as part of a broader laundering story, noting that “Layer 2 network Arbitrum said Monday it had frozen $71 million in ether linked to the hack.”

The KelpDAO exploit that triggered Arbitrum’s freeze was described as a hack of Kelp’s LayerZero-powered bridge, with Cointelegraph saying Kelp was hacked for at least $293 million on Saturday through its LayerZero-powered bridge.

CoinCentral states that attackers drained 116,500 rsETH by taking advantage of compromised verifier infrastructure, and it places total losses from the hack at “around $292 to $293 million.”

@coindesk

Cointelegraph adds that the exploit caused “millions of dollars' worth of “bad debt” in the highly interconnected crypto lending market,” because attackers used stolen Kelp tokens to borrow cryptocurrencies on Aave.

Coinpedia and crypto.news both describe the freeze as a response to the attackers’ ability to move funds across chains, with Coinpedia saying the attacker “exploited a weakness in Kelp DAO’s LayerZero-powered bridge” and “walked away with 116,500 rsETH.”

Coinpedia also says the exploit targeted “compromised verifier infrastructure,” giving attackers “a clean entry point to drain funds worth an estimated $292 million.”

Crypto.news adds that early findings pointed to a “coordinated node compromise tied to Lazarus Group,” and it describes how “two nodes had been poisoned while a third was disrupted through a DDoS attack.”

Cointelegraph further reports that LayerZero accused North Korea of carrying out the attack, and it says the exploit has been linked to Lazarus Group in the broader narrative of state-sponsored crypto activity.

Arbitrum’s freeze prompted a decentralization debate, with multiple outlets quoting both critics and Arbitrum figures about how the decision was made.

Cointelegraph says Arbitrum’s security council took “emergency action” and that it “weighed its commitment to the security and integrity of the Arbitrum community without impacting any Arbitrum users or applications.”

ForkLog reports that the council acted with “input from law enforcement as to the exploiter’s identity,” and it quotes Arbitrum’s statement that “The team acted with input from law enforcement regarding the exploiter’s identity and, at all times, took into account its obligations to ensure the community’s security and integrity without affecting users or applications.”

CoinCentral adds that the Security Council is “a 12-member body elected by the Arbitrum community,” and it says “Nine of the 12 members voted in favor of freezing the funds.”

Cointelegraph and TradingView both describe the freeze as moving funds to a wallet that “can only be moved by further action by Arbitrum governance,” and they report that multiple users on X criticized Arbitrum and questioned decentralization.

ForkLog includes a direct X critique: “so a council can just freeze 30k eth and we’re still calling this decentralized?” from Sandy.ETH, and it also includes a joke post from NozomiNetwork: “is it truly decentralised???”

Cointelegraph adds that Arbitrum Security Council member Griff Green posted that the group “did not make this decision lightly, there were countless hours of debates, technical, practical, ethical and political.”

While Arbitrum locked 30,766 ETH, other reporting focused on how the stolen funds were being moved and what that could mean for DeFi markets.

CoinDesk says “KelpDAO hackers are laundering millions in stolen crypto,” and it reports that “Arkham shows that the wallet in control of the proceeds of the exploit sent two transfers of $117 million and $58 million on the Ethereum blockchain during European hours on Tuesday.”

@coindesk

CoinDesk also says ZachXBT reported that “a portion of the stolen funds has already begun moving across chains,” and it notes that “Roughly $1.5 million was bridged from Ethereum to Bitcoin via Thorchain,” with “an additional $78,000 routed through the privacy protocol Umbra.”

CoinDesk frames the laundering as part of “DeFi contagion fears,” and it says the breach triggered “widespread liquidations across the decentralized finance sector amid fears that the exploit could impact other protocols.”

Cointelegraph similarly describes the exploit’s impact on lending, saying it has caused “millions of dollars' worth of “bad debt” in the highly interconnected crypto lending market,” as attackers used stolen Kelp tokens to borrow on Aave.

ForkLog includes a section on Aave’s exposure, citing a balance “hole” of roughly $195m from Lookonchain and describing two scenarios laid out by LlamaRisk, including a case where Aave’s shortfall would be about $123.7m and another where bad debt would reach $230.1m if the deficit falls on L2s.

Invezz adds additional market pressure figures, saying “close to $10 billion in value exiting Aave since the exploit,” and it also states that “Withdrawal requests topped $5.4 billion within four hours of the exploit becoming public.”

The freeze also sits inside a dispute over the security design of Kelp’s cross-chain setup, with LayerZero and KelpDAO trading blame over the configuration used for verification.

Invezz reports that LayerZero criticized KelpDAO’s use of a “1-of-1 decentralized verified network configuration,” arguing it created “a single point of failure without independent verification,” and it says LayerZero added that “LayerZero and other external parties previously communicated best practices around DVN diversification to Kelp DAO.”

AMBCrypto

Invezz says KelpDAO pushed back, stating that “The 1-of-1 DVN setup is the configuration documented in LayerZero’s documentation and shipped as the default for any new OFT deployment,” and it adds that the arrangement had been “affirmatively confirmed as appropriate” during earlier discussions.

CoinCentral says the freeze “sharpens an existing dispute between Kelp DAO and LayerZero over who is responsible for the hack,” and it adds that “LayerZero has not publicly commented on the Arbitrum freeze.”

CoinDesk and crypto.news both describe Kelp’s response as pausing contracts and blacklisting wallets tied to the attacker, with crypto.news stating “Kelp DAO halted contracts and blacklisting wallets tied to the breach, blocking a further 40,000 rsETH, estimated at roughly $95 million, from being drained.”

Cointelegraph and CoinCentral both emphasize that the frozen ETH is awaiting governance action, with Cointelegraph saying it “can only be moved by further action by Arbitrum governance,” and CoinCentral saying the funds will remain locked unless governance approves any further steps.

Cointelegraph also says the council acted with input from law enforcement and weighed security and integrity “without impacting any Arbitrum users or applications,” while CoinCentral adds that the freeze represents “about a quarter of the total amount stolen.”