Arbitrum Pretends to Be a Hacker and "Steals" Back the Money Lost by KelpDAO

Original Title: “Arbitrum Pretends to Be a Hacker and ‘Steals’ Back the Money Lost by KelpDAO”
Original Source: Deep潮 TechFlow

Last week, KelpDAO was hacked and nearly $300 million was stolen, making it the biggest DeFi security incident of the year so far.

The stolen ETH is now spread across multiple chains, with about 30,765 tokens remaining in an address on the Arbitrum chain, worth over $8B.

This story seemed to have concluded, but today there’s a sequel.

According to on-chain security firm PeckShield, the funds in the hacker’s address on Arbitrum were transferred out a few hours ago, but strangely, these funds were sent to a bizarre address that appears almost entirely zeroed out: 0x00000…

Everyone was speculating at the time—did the hacker burn the money by putting it into a black hole address? Or did they have a change of heart or get turned in?

None of the above.

A few hours ago, Arbitrum’s official forum posted an emergency notice explaining the situation. The hacker’s funds were moved by Arbitrum’s Security Council.

Strangely, without knowing the hacker’s private key, the Council neither froze the hacker’s funds nor had the authority to transfer them. Instead, they issued a transfer command “in the name of” the hacker.

The hacker was unaware; their private key was not leaked. On-chain records look as if the hacker operated it themselves.

The mechanism behind this is that all cross-chain messages between Arbitrum and Ethereum pass through a bridge contract called Inbox. The Security Council used emergency privileges to temporarily upgrade this contract, adding a new function:

To send cross-chain transactions in the name of any wallet address, without needing that wallet’s private key.

They then forged a message using this function, with the sender set as the hacker’s wallet, containing “Transfer all my ETH to the frozen address.” The Arbitrum chain received and executed it as usual, resulting in the strange on-chain transfer screenshot above.

After transferring the hacker’s funds, the contract was immediately downgraded back to its original version. The upgrade, forgery, transfer, and restoration were all completed within a single Ethereum transaction. Other users and applications were unaffected.

This operation has no precedent in Arbitrum’s history.

According to the forum announcement, the Security Council had confirmed the hacker’s identity with law enforcement beforehand, pointing to North Korea’s Lazarus Group, the most active state-sponsored hacking organization in DeFi this year. After technical assessment ensuring no impact on other users, they proceeded.

Since the hacker’s misconduct was prior, this move is somewhat like “don’t blame us for acting unethically.” How the frozen ETH will be handled afterward depends on Arbitrum’s DAO governance and coordination with law enforcement.

Recovering over $8B stolen funds is certainly good, but it’s important to note that the Security Council’s 12 members can sign off with just 9 signatures to bypass all governance votes, enabling instant on-chain upgrades of any core contract.

Praise for the result, concern about the capability?

Currently, community reactions are quite divided.

Some believe Arbitrum did a great job, protecting assets at a critical moment and boosting confidence in L2. Others ask a straightforward question: if 9 people can sign to act in anyone’s name and move any assets, is this truly decentralized?

I think both sides are actually talking about different things.

The former refers to the outcome; the latter to the capability. The result is undoubtedly positive—over $70 million recovered. But the ability to modify contracts via multi-signature is neutral; how this capability is used in the future, whether it can be used, and how it is used all depend on the governance of the committee.

However, for most Arbitrum users, this discussion might be less practical than a simple fact: Arbitrum isn’t unique. Most mainstream L2s currently retain similar emergency upgrade privileges.

Your chain probably also has a similar Security Council with comparable powers. This isn’t an Arbitrum-specific choice; almost all L2s at this stage have this common design.

From another perspective, this attack and defense reveal a larger picture.

The attacker is North Korea’s Lazarus Group, which has been attributed to at least 18 DeFi attacks this year. Three weeks ago, they stole $285 million from Drift Protocol using a completely different method.

On one side, state-level hackers are continuously upgrading their attack methods; on the other, L2s are beginning to use underlying permissions for counterattacks. The security battle in DeFi is moving from “post-incident freezing, on-chain shouting, and hoping white hats intervene” to a new phase.

In a critical moment, they created a universal key to open the hacker’s address, then melted the key afterward. From this, we see that having the capability to counter hackers isn’t necessarily a bad thing.

If we elevate this to a philosophical debate about “decentralization,” there’s a lot to discuss. Centralized operations in the crypto industry are numerous; at least this time, they handled a negative incident and solved the problem, rather than creating one.

Looking pragmatically, KelpDAO was hacked for $292 million, but only about $70 million was recovered—less than a quarter of the total. The remaining ETH is still spread across other chains, and over $100 million in bad debt on Aave remains unresolved. How much rsETH holders can recover is still unknown.

Even with Arbitrum’s god-like permissions, this battle is far from over.

Original link

Click to learn about Rhythm BlockBeats’ job openings

Join the official Rhythm BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Group Chat: https://t.me/BlockBeats_App

Twitter Official Account: https://twitter.com/BlockBeatsAsia