KelpDAO Recovers Over 30k ETH with One Click: Arbitrum Acts Urgently, Shaking the Industry

Written by: jsai@Golden Finance

On April 18, 2026, the DeFi space experienced its largest attack to date in 2026.

KelpDAO’s rsETH bridge (based on LayerZero cross-chain protocol) was exploited by hackers, forging approximately 116,500 rsETH (worth about $292 million). The hackers forged cross-chain messages, minted unbacked rsETH, then quickly exchanged it for ETH, dispersing funds across the Ethereum mainnet and Arbitrum One. About 30,766 ETH (roughly $71 million) remained on the Arbitrum One chain.

On April 21, the Arbitrum Security Council took rare emergency action, successfully transferring and recovering these funds. Compared to the 2022 incident where hackers stole 20 million OP tokens and Optimism explicitly refused to use emergency upgrades to pause or freeze token movement, this is the first known case in Stage 1 L2s (Arbitrum One, Optimism, Base, Starknet, etc.) where a Security Council was activated to freeze funds.

This incident demonstrates some L2s’ response capabilities in crises but also quickly sparked intense debate within the crypto community about the nature of “decentralization.”

1. Arbitrum’s one-click transfer of hacker funds

In a statement released on April 21, Arbitrum official said that after obtaining information about the attacker’s identity from law enforcement, the Security Council, after “extensive technical due diligence and review,” executed a “technical plan” to transfer 30,766 ETH from the hacker’s address to an “intermediary frozen wallet.”

Frozen transaction tx https://arbiscan.io/tx/0x5618044241dade84af6c41b7d84496dc9823700f98b79751e257608dac570f6b

This wallet can only be further unlocked through Arbitrum governance and will not affect any other chain state, users, or applications.

The transfer was completed at 11:26 PM Eastern Time on April 20, and the hacker’s original address can no longer access the funds. This was a “surgical” intervention, not a full chain pause or hard fork.

The Arbitrum Security Council has taken emergency action to freeze 30,766 ETH held in Arbitrum One addresses related to the KelpDAO vulnerability. With law enforcement assistance, the council identified the attacker and ensured that the action would not impact any Arbitrum users or applications, maintaining the security and integrity of the Arbitrum community.

After extensive technical investigation and review, the Security Council determined and implemented a technical solution to transfer the funds to a safe location without affecting any other chain states or Arbitrum users.

As of 11:26 PM Eastern Time on April 20, the funds have been successfully transferred to an intermediary frozen wallet. The original addresses holding these funds can no longer access them, and only after coordination with Arbitrum governance and relevant parties can further actions be taken to transfer these funds.

2. Details of ETH transfer mechanism: Emergency authority of the Security Council

Arbitrum, as an Optimistic Rollup on Ethereum (currently rated Stage 1 by L2Beat), has an architecture that inherently balances decentralization and security.

Its core is a 12-member Security Council (elected by Arbitrum DAO), which has emergency upgrade authority. The council can authorize time-sensitive system contract upgrades or emergency measures via a 9/12 multi-signature, aimed at protecting the DAO, users, and the entire ecosystem. This is not a “backdoor,” but an open governance design used to respond to hackers, vulnerabilities, or major risks.

This action was not simply “banning an address,” but leveraging the Security Council’s upgrade capability to execute a precise transfer of ETH held by the hacker. Arbitrum’s Rollup mechanism allows governance-controlled control over specific contract states or execution of special transactions in emergencies, without altering the entire chain consensus or affecting other addresses.

Based on on-chain analysis and technical reports, the core of this operation involved a temporary upgrade to the Inbox contract (the entry point for all Arbitrum→Ethereum messages on L1):

1. The Security Council authorized an emergency upgrade via 9/12 multi-signature: initiating a transaction on Ethereum mainnet to upgrade the Inbox contract (or other related system contracts). After the upgrade, a new function was temporarily added, allowing “any wallet address” to send cross-chain messages—without the private key of that address.

2. Forged transfer message from the hacker address: Using the new function, a message was constructed from L1→L2, impersonating the hacker address as the sender, with the content “transfer all ETH from this address to the intermediary frozen wallet.” This step essentially “signed on behalf of the hacker” a L2 transfer, triggered by the Security Council on L1.

3. Execution on L2: The message was executed via Arbitrum’s Rollup mechanism on L2, transferring the 30,766 ETH from the hacker’s address directly to the intermediary frozen wallet. Control of this wallet is only with Arbitrum governance (DAO votes needed to unlock later).

4. Atomic completion + rollback upgrade: The entire process (upgrade → forged message → transfer execution → removal of the new function/rollback) was completed atomically within a single Ethereum mainnet transaction. The upgrade was temporary, not permanently changing contract logic, nor affecting other addresses’ balances, contract states, or user interactions.

In simple terms: the hacker’s ETH remains on Arbitrum One, but the Security Council, by forging a transfer message from the hacker’s address, “moved” the stolen ETH from the hacker’s address to a frozen address controlled only by the DAO.

This reflects a practical compromise among speed, security, and decentralization in L2.

3. Community discussion and controversy

This action quickly sparked polarized reactions on X (Twitter) and crypto forums.

Many users praised it as a “correct and brave decision”: partial recovery of funds (about 24% frozen), protecting users of KelpDAO, Aave, and other protocols, avoiding larger systemic risks. Some joked “decentralized until you need it,” and pointed out that Bitcoin is the only chain that is truly “uncensorable,” while L2s are not purely decentralized.

Some even argued that if a chain can freeze stolen funds but chooses not to, that is dereliction of duty. The Security Council exists precisely for this purpose—acting swiftly and transparently is more efficient than some centralized stablecoin issuers (like Circle). Arbitrum community members and representatives (e.g., Griff Green) even celebrated this as “a counterattack against hackers (suspected to have some national background).”

At the same time, many voices of opposition and concern emerged, highlighting the controversy of Arbitrum’s move, such as:

Disillusionment with decentralization: many pointed out that “this exposes Arbitrum as essentially a multi-signature wallet,” and that the Security Council can unilaterally freeze any address’s funds, setting a dangerous precedent. “Today hackers, tomorrow ordinary users?” “L2 decentralization is just a marketing term.”

Slippery slope fears: critics argue that although the move was “technically correct,” it proves L2 still relies on trust in a small group (the 12-member council). If future governments pressure or governance is captured, similar powers could be abused. Some announced they would “no longer use Arbitrum, switch back to L1.”

The open secret of Stage 1 rollups: supporters remind that this is a Stage 1 feature already marked by L2Beat (most L2s like Base, Optimism are similar), not a sudden bug. But opponents believe that the community’s misconception that “L2 = decentralization” has been torn apart by this incident, revealing the “last layer of pretense.”

Overall, the community consensus is: in the short term, this was a necessary and effective crisis response, but long-term it highlights that L2 governance still needs to evolve toward Stage 2 (full decentralization without upgrade keys).

This incident also re-emphasizes the eternal debate in DeFi: “Frozen stolen funds vs. absolute censorship resistance.”

Conclusion: The practical choice for L2 security

The Security Council’s action on Arbitrum successfully recovered part of the losses and demonstrated L2’s quick response capability in the face of large-scale hacking.

But it also reminds the industry: most current L2s are still “decentralized under governance protection,” not “code as law” like L1. As DeFi scales, balancing emergency intervention and minimizing long-term trust will be a key challenge for Arbitrum and the entire L2 ecosystem.

For ordinary users, this may be a signal: when choosing a chain, look beyond TVL and fees—consider governance transparency and emergency mechanisms.

Decentralization in the crypto world has never been absolute; it is an ongoing balancing act.