At 11:26 PM ET on April 20, the Arbitrum Security Council executed an emergency action that moved 30,766 ETH worth roughly $71 million out of a wallet linked to the KelpDAO exploit. The funds now sit in an intermediary frozen wallet where they can only be moved through a formal Arbitrum governance vote. The original attacker address no longer has access.
The council said it acted with input from law enforcement regarding the exploiterโs identity and executed the transfer without impacting other Arbitrum users or applications. It also recovered roughly a quarter of the $292 million drained from Kelpโs LayerZero-powered bridge on April 18. That is the clean version of the story. The harder version is what this move says about Layer 2 security assumptions.
The Exploit That Triggered It
On Saturday, April 18, attackers drained 116,500 rsETH from KelpDAO by compromising verifier infrastructure on the protocolโs LayerZero-powered bridge. LayerZeroโs postmortem attributed the attack to North Koreaโs Lazarus Group. The attackers allegedly poisoned two RPC nodes in LayerZeroโs network and launched DDoS attacks against a third.
The spill went further than Kelp. Attackers minted unbacked rsETH and used it as collateral on Aave to borrow more than $200 million in real WETH before markets could freeze, leaving Aave with hundreds of millions in bad debt. In the days after the exploit, roughly $10 billion exited Aave as lenders and depositors reassessed counterparty risk.
LayerZero and Kelp have since traded public blame. LayerZero argued Kelp used a 1-of-1 DVN configuration that created a single point of failure. Kelp responded that the same configuration was the documented default for new OFT deployments. Both sides point to different paragraphs in the same documentation.
KelpDAO Exploit Drains $280M+ From Ethereum and Arbitrum Lending Markets
How the Freeze Actually Works
The Arbitrum Security Council is a 12-member body elected by Arbitrum DAO every six months. It controls a 9-of-12 multi-signature wallet and holds emergency powers to execute upgrades or freeze assets without a public vote. Council member Griff Green wrote on X that the body deliberated for several hours across technical, ethical, and political dimensions before nine of the twelve members approved the move.
Mechanically, the funds were transferred to a special intermediate wallet. The exploiter can no longer access them, and neither can the council on its own. Restoring any movement requires an Arbitrum governance vote by ARB token holders. That structure is meaningful: it converts an adversarial fund seizure into a pending governance question about how to return the funds to affected parties.
The Decentralization Question No One Wants to Answer
The freeze recovered stolen user funds. It also made explicit what had been implicit: on Arbitrum, a sufficiently motivated council can reach into any address and move the assets out of it. That same capability has existed on centralized stablecoins for years. Circle can freeze any USDC address at will, and Tether has done the same with USDT. What changed on April 20 is that the same power was exercised on ETH itself, on one of the largest Ethereum Layer 2 networks.
YCC founder Duo Nine framed the tension clearly, calling the move good for affected users and bad for decentralization, and warning that the precedent lets any assets on Arbitrum be taken from a wallet with sufficient justification. Supporters counter that pure neutrality would have let North Korean state actors launder stolen user funds without resistance.
Both positions are right simultaneously, which is why the debate will not resolve cleanly. What is settled is the technical reality. Layer 2 networks with active security councils are not the same trust model as Ethereum mainnet. Users who hold assets on these chains are trusting the councilโs judgment the way a bank customer trusts their bank, even if the marketing language suggests otherwise.
The Attacker Is Still Moving Funds Elsewhere
The freeze captured roughly a quarter of the total exploit. On-chain investigator ZachXBT reported that since the Arbitrum action, the attackers moved $1.5 million from Ethereum mainnet to Bitcoin via Thorchain, with another $78,000 routed through Umbra. The wallet flagged as the KelpDAO attacker also sent transfers of $57.93 million and $117.48 million on Tuesday morning as laundering continued through chains without equivalent freeze capability.
Whether more stolen funds can be frozen depends on where the attackers consolidate rsETH or its derivatives next, and whether other chains with comparable emergency powers decide to act. Kelp has said it is coordinating with ecosystem partners on a recovery fund and weighing next steps on unpausing, loss socialization, and legal coordination with affected counterparties.
The Arbitrum freeze is the clearest example yet of what emergency powers on a major Layer 2 look like in practice. It rescued user value, it triggered a debate the industry has been avoiding for years, and it left a pile of stolen ETH sitting in a multi-sig while ARB holders decide what comes next.
