Arbitrum freezes $70 million in ETH linked to KelpDAO exploitation

The Arbitrum Security Council blocked the ETH held by the exploiters after coordinating with law enforcement.

Arbitrum said it launched an emergency intervention to recover funds related to the latest KelpDAO exploit after the Security Council revealed 30,766 ETH held on Arbitrum 1 at an address linked to the attacker.

User activity remains unaffected during the process.

Arbitrum entered the Security Council

The Council stated that it worked in coordination with the law enforcement agencies regarding the identity of the exploiter and said that the action is focused on maintaining the integrity of the network.

After technical analysis and internal discussion, the Arbitrum Council implements a mechanism to isolate and transfer the funds without affecting any other chain state or its users. The assets are moved to an intermediate wallet, effectively freezing them and removing access from the original address.

According to the official notification, the transfer was completed on April 20 at 11:26 PM. Any additional financial activity requires management level decisions in coordination with relevant stakeholders.

Shortly before the hack, Onchain Labs reported that the exploiter had apparently burned 30,766 ETH worth $70.94 million in arbitrage.

KelpDAO hack

The incident was related to the KelpDAO exploit on April 18, which resulted in the loss of 116,500 rETH tokens worth an estimated $292 million. It was one of the biggest DeFi breaches this year. The attackers targeted the KelpDAO cross-chain bridge built on LayerZero Labs' infrastructure. According to LayerZero, the attacker used decentralized authentication network components to compromise RPC nodes and disrupt normal operations, allowing a fraudulent chain message to be approved and executed.

You may also like:

LayerZero blamed the extent of the breach on KelpDAO's use of a 1-to-1 authentication configuration, which lacks independent authentication. KelpDAO responded:

“The 1-to-1 DVN configuration is a documented configuration in the LayerZero documentation and shipped as the default for any new OFT deployment. Kelp has worked on the LayerZero infrastructure since January 2024 and has maintained an open communication channel with the LayerZero team. The question of the DVN configuration was raised during the Kelp L2 expansion and the default was confirmed at the appropriate time.”

The impact spread beyond the bridge as a large portion of the stolen property was diverted to loan sharks. For example, on Aave V3, the attacker puts rETH as collateral and borrows a lot of rolled-up ETH. These areas are left with low health conditions, which increases the risk of bad debt in the protocol.