Arbitrum’s Security Council froze 30,766 ETH, roughly $71 million, connected to last week’s $293 million KelpDAO exploit, moving the funds into a governance-controlled wallet late April 20. The action marks the first time a major layer-2 network has used emergency upgrade powers to execute a state-level clawback in production.
Nine of twelve independently elected council members voted to authorize the freeze after coordinating with law enforcement on the attacker’s identity. The funds, which represented the Arbitrum-held portion of the broader exploit, are now locked in an intermediary wallet and can only be moved through future DAO governance action.
How the Freeze Actually Worked
This wasn’t a simple multisig freeze. According to technical observers, the council upgraded the Ethereum inbox contract to allow cross-chain message insertion with sender impersonation, injected an ArbitrumUnsignedTxType, a privileged system transaction that bypasses private keys entirely, to move the attacker’s ETH into a protocol-controlled sink, then reverted the inbox contract back to its original state. All atomically, in a single Ethereum transaction.
The capability was documented. It’s now been demonstrated. Arbitrum can upgrade core contracts, override any address’s balance, and revert the upgrade in one block. Every production L2 has some version of this power; none is at Stage 2 decentralization.
The Decentralization Debate
The move has split the community along predictable lines. Some frame it as DeFi successfully rugging North Korea’s Lazarus Group out of $71 million. Others point out that a system where nine people can move funds from any wallet isn’t decentralized in any meaningful sense.
Both are true. The exploit was clear-cut: Cyvers linked the attacker to Tornado Cash funding, law enforcement confirmed the identity, and the council acted to protect Aave from ~$71 million in potential bad debt on Arbitrum. On Ethereum mainnet, the attacker still controls roughly 75,700 ETH, approximately $175 million, and has begun moving funds through THORChain and intermediate wallets.
The forward question isn’t whether this intervention was justified. It’s what the line looks like next time, when the case isn’t as clean. Protocols don’t have frameworks for this; they have emergency powers applied case-by-case. That’s a habit, not a system. And the structural problem, 47.1% of LayerZero oApps still run single-signer DVN configurations, the same setup Kelp used, didn’t get fixed by freezing one wallet.
The council didn’t break a promise. It revealed a promise most of the L2 stack quietly stopped keeping years ago. Restoring credible neutrality is a longer project than any council vote can substitute for, and the conversation about whether L1s should absorb this burden for their most important L2s, turning every major exploit into a hard-fork debate, is one Ethereum hasn’t seriously reopened since 2016.
