Arbitrum, in the name of hackers, "stole back" the $70 million that was stolen

Original author: Deep Tide TechFlow

Last week, KelpDAO was hacked and nearly $300 million was stolen, making it the largest DeFi security incident of the year so far.

The stolen ETH is now scattered across multiple chains, with about 30,765 tokens remaining in an address on the Arbitrum chain, worth over $8B.

This story seemed to have ended, but today there’s a sequel.

According to on-chain security firm PeckShield monitoring, the funds in the hacker’s address on Arbitrum were transferred out a few hours ago, but strangely, these funds were sent to a bizarre address that appears almost entirely zeroed out, 0x00000… .

Everyone was speculating at the time—did the hacker burn the money by putting it into a black hole address? Or did they have a change of heart or get turned in?

None of those.

A few hours ago, Arbitrum’s official forum posted an emergency action notice explaining the situation. The hacker’s funds were transferred by Arbitrum’s Security Council.

Strangely, without knowing the hacker’s address private key, the council neither froze the hacker’s funds nor had the authority to transfer them, but instead issued a transfer command “in the hacker’s name.”

The hacker was unaware, their private key was not leaked, and on-chain records look as if the hacker operated it themselves.

The mechanism behind this operation is that all cross-chain messages between Arbitrum and Ethereum pass through a bridge contract called Inbox. The Security Council used emergency permissions to temporarily upgrade this contract, adding a new function:

To send cross-chain transactions in the name of any wallet address, without needing that wallet’s private key.

They used this function to forge a message, with the sender set as the hacker’s wallet, containing the instruction “Transfer all my ETH to the frozen address.” When Arbitrum received this, it executed as usual, resulting in the strange on-chain transfer screenshot above.

After transferring the hacker’s funds, the contract was immediately downgraded back to its original version. The upgrade, forgery, transfer, and restoration were all completed within a single Ethereum transaction. Other users and applications were completely unaffected.

This operation is unprecedented in Arbitrum’s history.

According to the forum announcement, the Security Council had confirmed the hacker’s identity with law enforcement beforehand, pointing to North Korea’s Lazarus Group, the most active state-sponsored hacking organization in DeFi this year. The council conducted a technical assessment to ensure no impact on other users before proceeding.

Since the hacker’s misconduct was prior, this move is somewhat “don’t blame everyone for not playing fair.” How the frozen ETH will be handled afterward depends on Arbitrum’s DAO governance and coordination with law enforcement.

Recovering over $8B stolen funds is of course a good outcome. But it’s important to note that the premise for doing this was that 9 out of the 12 members of the Security Council signed off, allowing them to bypass all governance votes and upgrade any core contract on-chain with zero delay.

Praising the result, but worrying about the capability?

Currently, community reactions are quite divided.

Some believe Arbitrum did a great job, protecting assets at a critical moment and boosting confidence in L2. Others ask a very direct question: if 9 people can sign to move any assets in anyone’s name, isn’t that still centralized?

I think both sides are actually talking about different things.

The former is about the outcome; the latter about the capability. The result is definitely positive—over $70 million recovered. But the ability demonstrated by Arbitrum’s multi-signature contract modification function is neutral; how it’s used in the future—what can be done, whether it can be done, and how—really depends on the governance of the committee.

However, for most users of Arbitrum, this discussion might be less practical than another fact. Arbitrum isn’t unique; most mainstream L2s currently retain similar emergency upgrade permissions.

Your chain probably also has a similar security council with comparable capabilities. This isn’t a unique choice for Arbitrum; at this stage, most L2s share this common design.

From another perspective, this attack and defense reveal a bigger picture.

The attacker is North Korea’s Lazarus Group, which has been attributed to at least 18 DeFi attacks this year. Three weeks ago, they stole $285 million from Drift Protocol, using a completely different method.

On one side, state-sponsored hackers are continuously upgrading their attack methods; on the other, L2s are beginning to use underlying permissions for counterattacks. The security battle in DeFi is moving from “post-incident freezing, on-chain shouting, and hoping white hats intervene” into a new phase.

In a critical moment, they created a universal key to open the hacker’s address, then melted the key afterward. From this incident alone, having the capability to counter hackers is not necessarily a bad thing.

And if we elevate this to a philosophical debate about “decentralization,” there are many points to discuss. The industry’s centralization practices are numerous; at least this time, they handled a negative event and solved the problem, rather than creating more issues.

Looking pragmatically, KelpDAO was hacked for $292 million, but only recovered over $70 million, less than a quarter of the total. The remaining ETH is still scattered across other chains, and over $100 million in bad debt on Aave remains unresolved. How much rsETH holders can recover is still unknown.

Even with Arbitrum’s use of god-like permissions, this battle is clearly far from over.