KelpDAO Recovers Over 30k ETH with One Click: Arbitrum Acts Urgently, Shaking the Industry

Writing: jsai@Golden Finance

On April 18, 2026, the DeFi space experienced its largest attack to date in 2026.

KelpDAO’s rsETH bridge (based on LayerZero cross-chain protocol) was exploited by hackers, forging approximately 116,500 rsETH (worth about $292 million). The hackers forged cross-chain messages, minted unbacked rsETH, then quickly exchanged it for ETH, dispersing funds on the Ethereum mainnet and Arbitrum One. About 30,766 ETH (approximately $71 million) remained on the Arbitrum One chain.

On April 21, the Arbitrum Security Council took rare emergency action, successfully transferring and recovering these funds. Compared to the 2022 incident where hackers stole 20 million OP tokens and Optimism explicitly refused to use emergency upgrades to pause or freeze token movement, this is the first known case in Stage 1 L2s (Arbitrum One, Optimism, Base, Starknet, etc.) where a Security Council was activated to freeze funds.

This incident demonstrates some L2s’ response capabilities in crises but also quickly sparked intense debate within the crypto community about the nature of “decentralization.”

1. Arbitrum’s one-click transfer of hacker funds

In a statement released on April 21, Arbitrum official said that after obtaining information about the attacker’s identity from law enforcement, the Security Council, after “extensive technical due diligence and review,” executed a “technical plan” to transfer 30,766 ETH from the hacker’s address to an “intermediary frozen wallet” (intermediary frozen wallet).

Freeze transaction tx

This wallet can only be unlocked through further action by Arbitrum governance and will not affect any other chain state, users, or applications.

The transfer was completed at 11:26 PM Eastern Time on April 20, and the hacker’s original address can no longer access the funds. This was a “surgical” intervention, not a full chain pause or hard fork.

The Arbitrum Security Council has taken emergency action to freeze 30,766 ETH held in Arbitrum One addresses related to the KelpDAO vulnerability. With law enforcement assistance, the Security Council identified the attacker’s identity and ensured that the action would not impact any Arbitrum users or applications, maintaining the security and integrity of the Arbitrum community.

After extensive technical investigation and review, the Security Council determined and implemented a technical solution to transfer the funds to a safe location without affecting any other chain state or Arbitrum users.

As of 11:26 PM Eastern Time on April 20, the funds have been successfully transferred to an intermediary frozen wallet. The original addresses holding these funds can no longer access them, and only after coordination with Arbitrum management and relevant parties can further action be taken to transfer these funds.

2. Details of the ETH transfer mechanism: Emergency authority of the Security Council

Arbitrum, as an optimistic rollup on Ethereum (currently rated Stage 1 by L2Beat), has a built-in trade-off mechanism between decentralization and security in its architecture.

Its core is a 12-member Security Council (elected by Arbitrum DAO), which has emergency upgrade authority. The council can authorize time-sensitive system contract upgrades or emergency measures via 9/12 multi-signature, aiming to protect the DAO, users, and the entire ecosystem. This is not a “backdoor,” but an open governance design used to respond to hackers, vulnerabilities, or major risks.

This action was not simply “banning an address,” but leveraging the Security Council’s upgrade capability to execute a precise transfer of ETH held by the hacker. Arbitrum’s rollup mechanism allows governance to control specific contract states or execute special transactions in emergencies without altering the entire chain consensus or affecting other addresses.

Based on on-chain analysis and technical reports, the core of this operation involved a temporary upgrade to the Inbox contract (the entry point for all Arbitrum→Ethereum messages on L1):

1. The Security Council authorized an emergency upgrade via 9/12 multi-signature: initiating a transaction on Ethereum mainnet to upgrade the Inbox contract (or other related system contracts). After the upgrade, a new function was temporarily added, allowing “any wallet address” to send cross-chain messages—without the private key of that address.

2. Forged transfer message from the hacker address: Using the new function, a message was constructed from L1→L2, impersonating the hacker address as sender, with content “transfer all ETH from this address to the intermediary frozen wallet.” This step essentially “signed on behalf of the hacker” a L2 transfer, triggered by the Security Council on L1.

3. Execution of transfer on L2: The message is executed via Arbitrum’s rollup mechanism on L2, transferring the 30,766 ETH from the hacker’s address directly to the intermediary frozen wallet. Control of this wallet is only with Arbitrum governance (DAO), which can unlock it via subsequent voting.

4. Atomic completion + rollback upgrade: The entire process (upgrade → forged message → transfer execution → removal of the new function/rollback) is completed atomically within a single Ethereum mainnet transaction. The upgrade is temporary, not permanently changing contract logic, nor affecting other addresses’ balances, contract states, or user interactions.

In simple terms: the hacker’s ETH remains on Arbitrum One, but the Security Council, by forging a transfer message from the hacker’s address, “moved” the stolen ETH from the hacker’s address to a frozen address controlled only by the DAO.

This reflects a practical compromise among speed, security, and decentralization in L2.

3. Community discussion and controversy

This action quickly sparked polarized reactions on X (Twitter) and crypto forums.

Many users praised it as a “correct and brave decision”: partial recovery of funds (about 24% frozen), protecting users of KelpDAO, Aave, and other protocols, avoiding larger systemic risks. Some joked “decentralized until you need it,” and pointed out that Bitcoin is the only chain that is truly “uncensorable,” while L2s are not purely decentralized.

Some even argued that if a chain can freeze stolen funds but chooses not to, that is dereliction of duty. The Security Council exists precisely for this purpose—acting swiftly and transparently, more efficiently than some centralized stablecoin issuers (like Circle). Community members and representatives (like Griff Green) even celebrated this as “a counterattack against hackers (suspected to have some national background).”

At the same time, many voices of opposition and concern emerged, highlighting the controversy of Arbitrum’s move, such as:

Disillusionment with decentralization: many pointed out that “this exposes Arbitrum as essentially a multi-signature wallet,” and that the Security Council can unilaterally freeze any address’s funds, setting a dangerous precedent. “Today hackers, tomorrow regular users?” “L2 decentralization is just a marketing term.”

Slippery slope concerns: critics argue that although the move is “technically correct,” it proves L2 still relies on trust in a small group (the 12-member council). If future governments pressure or governance is captured, similar powers could be abused. Some announced they would “no longer use Arbitrum, revert to L1.”

The open secret of Stage 1 rollups: supporters remind that this is a feature already marked as Stage 1 by L2Beat (most L2s like Base, Optimism are similar), not a bug. But opponents believe that the community’s misconception that “L2 = decentralization” has been torn apart by this incident, revealing the “last layer of pretense.”

Overall, the community consensus is: in the short term, this was a necessary and effective crisis response, but long-term it highlights that L2 governance still needs to evolve toward Stage 2 (full decentralization without upgrade keys).

This incident also re-emphasizes the eternal debate in DeFi: “Freeze stolen funds vs. absolute censorship resistance.”

Conclusion: The practical choice for L2 security

The Security Council’s action on Arbitrum successfully recovered part of the losses and demonstrated L2’s quick response capability in the face of large-scale hacks.

But it also reminds the industry: most current L2s are still “decentralized under governance protection,” not “code as law” like L1. As DeFi scales, balancing emergency intervention with minimizing long-term trust will be a key challenge for Arbitrum and the entire L2 ecosystem.

For ordinary users, this may be a signal: when choosing a chain, look beyond TVL and fees—consider governance transparency and emergency mechanisms.

Decentralization in the crypto world has never been absolute; it is an ongoing balancing act.