Arbitrum Pretends to Be a Hacker and "Steals" the Lost Funds from KelpDAO Back

Author: Deep Tide TechFlow

Last week, KelpDAO was hacked and nearly $300 million was stolen, making it the largest DeFi security incident of the year so far.

The stolen ETH is now spread across multiple chains, with about 30,765 tokens remaining in an address on the Arbitrum chain, worth over $70 million.

This story seemed to have come to an end, but today there’s a new development.

According to on-chain security firm PeckShield monitoring, the funds in the hacker’s address on Arbitrum were transferred out a few hours ago, but strangely, these funds were sent to an odd address that appears almost entirely zeroes: 0x00000…

Everyone was speculating at the time—did the hacker burn their own funds by putting them into a black hole address? Or did they have a change of conscience or get turned in?

Neither.

A few hours ago, Arbitrum’s official forum posted an emergency action notice explaining the situation. The hacker’s funds were transferred by Arbitrum’s Security Council.

Strangely, without knowing the hacker’s private key, the council neither froze the hacker’s funds nor had the authority to transfer them, but instead issued a transfer command “in the hacker’s name.”

The hacker was unaware, their private key was not leaked, and on-chain records look as if the hacker operated it themselves.

The mechanism behind this is that all cross-chain messages between Arbitrum and Ethereum pass through a bridge contract called Inbox. The Security Council used emergency permissions to temporarily upgrade this contract, adding a new function:

To send cross-chain transactions in the name of any wallet address, without needing that wallet’s private key.

They then used this function to forge a message, with the sender set as the hacker’s wallet, instructing “Transfer all my ETH to the frozen address.” When Arbitrum received this, it executed as usual, resulting in the strange on-chain transfer screenshot above.

After transferring the hacker’s funds, the contract was immediately downgraded back to its original version. The upgrade, forgery, transfer, and rollback were all completed within a single Ethereum transaction. Other users and applications were unaffected.

This operation is unprecedented in Arbitrum’s history.

According to the forum announcement, the Security Council had confirmed the hacker’s identity with law enforcement beforehand, pointing to North Korea’s Lazarus Group, the most active state-sponsored hacking organization in DeFi this year. The council conducted a technical assessment to ensure no impact on other users before proceeding.

Since the hacker’s misconduct was prior, this move is somewhat “don’t blame us for acting without ethics.” How the frozen ETH will be handled afterward depends on Arbitrum’s DAO governance and coordination with law enforcement.

Recovering over $70 million stolen funds is certainly a good outcome. But it’s worth noting the premise: nine out of twelve Security Council members can sign off to bypass all governance votes, enabling instant upgrades to any core on-chain contract.

Praise for the result, concern about the capability?

Currently, community reactions are quite divided.

Some believe Arbitrum did a great job, protecting assets at a critical moment and boosting confidence in L2. Others ask a very direct question: if nine people can sign to move any assets in anyone’s name, isn’t that centralized?

I believe both sides are actually talking about different things.

The former is about the outcome; the latter about the capability. The result is undoubtedly good—over $70 million recovered. But the ability to modify multi-signature contract functions, demonstrated here, is neutral in itself; how it’s used—whether for chasing hackers, what can be done, and how—is ultimately determined by the governance of the committee.

However, for most users of Arbitrum, this discussion might be less practical than a simple fact: Arbitrum isn’t unique. Most mainstream L2s currently retain similar emergency upgrade permissions.

Your chain probably also has a similar security council with comparable capabilities. This isn’t an Arbitrum-specific choice; at this stage, most L2s share this common design.

From another perspective, this attack and defense reveal a larger picture.

The attacker is North Korea’s Lazarus Group, attributed to at least 18 DeFi attacks this year. Three weeks ago, they stole $285 million from Drift Protocol, using a completely different method.

On one side, state-sponsored hackers are continuously upgrading their attack techniques; on the other, L2s are beginning to use underlying permissions for counterattacks. The security battle in DeFi is moving from “post-incident freezing, on-chain calls, and hoping white hats intervene” into a new phase.

In a critical moment, a universal key was created to open the hacker’s address, then the key was melted away afterward. In terms of capability, being able to respond to hacker attacks isn’t necessarily bad.

And if we elevate this to a philosophical debate about “decentralization,” there are many points to discuss. The industry’s centralization practices are numerous; at least this time, the focus was on handling a negative event and solving the problem, rather than creating one.

Looking pragmatically, KelpDAO was hacked for $292 million, but only about $70 million has been recovered. The remaining ETH is still spread across other chains, with over $100 million in bad debt on Aave unresolved, and the amount rsETH holders can recover remains unknown.

Even with Arbitrum’s use of god-like permissions, the fight is clearly far from over.