Arbitrum Council Freezes $71M After KelpDAO Bridge Hack; Kuvi CEO Weighs In

Arbitrum's Security Council voted 9 of 12 to immobilize 30,766 ETH — roughly $71 million — linked to the KelpDAO bridge exploit, intercepting the funds on Arbitrum One before an in-progress native withdrawal back to Ethereum mainnet could complete. The freeze represents about 24% of the $292 million drained from KelpDAO's rsETH bridge on April 18, 2026, in an attack researchers have preliminarily attributed to North Korea's Lazarus Group.

The exploit stemmed from a 1-of-1 Decentralized Verifier Network (DVN) configuration on KelpDAO's LayerZero-based OFT bridge. According to on-chain forensics cited in the original report by Crypto Coin Show, attackers compromised downstream RPC nodes, DDoS'd the uncompromised endpoints to force a failover, and pushed a forged cross-chain packet that released 116,500 rsETH from escrow in a single transaction. KelpDAO's emergency multisig paused core contracts 46 minutes later, blocking two follow-up attempts of roughly $100M each.

Kuvi AI's Dewdney: "Legitimately onchain gangster moves"

Dylan Dewdney, founder of Kuvi AI, framed the council's intervention as a milestone for on-chain governance rather than a narrow technical fix.

"It's a fascinating moment for crypto governance — reminds me actually of the same gravitas as TheDAO, in a way. On one hand, decentralization purists will hate it. On the other, a DAO effectively looked at a state-sponsored hacking group and said: not this time. Arbitrum just demonstrated that onchain systems can defend themselves in real time. In a strange way, they out-coordinated one of the most sophisticated adversaries in the world. Legitimately onchain gangster moves." — Dylan Dewdney, Founder, Kuvi AI

The council used the standard native ETH transfer precompile to move the funds to a protocol-controlled intermediary address, with Lookonchain confirming the freeze roughly 20 minutes after execution. Access to the recovered ETH will require a further governance vote. Meanwhile, LayerZero and KelpDAO have entered a public dispute over responsibility: LayerZero attributes the breach to KelpDAO's single-verifier setup and has said it will stop signing messages for applications using 1-of-1 DVN configurations, while KelpDAO has pushed back with its own documentation.

Roughly $220 million of the stolen value remains unrecovered, with on-chain trackers indicating the remainder is being routed across other chains. Downstream, attackers weaponized stolen rsETH as Aave v3 collateral to borrow $196M in WETH, pushing Aave WETH markets to 100% utilization and prompting Aave, SparkLend, and Fluid to freeze rsETH markets as affected protocols saw $6.6B in TVL unwind within 48 hours.