Arbitrum Security Council Freezes $71M in ETH After KelpDAO Bridge Exploit

Arbitrum's Security Council has frozen roughly $71 million in stolen ETH connected to the April 18, 2026 exploit of KelpDAO's rsETH bridge, executing an emergency on-chain intervention that has reopened long-standing debates about decentralization and governance power. Nine of the council's twelve members voted in favor of the action, which moved 30,766 ETH to a protocol-controlled intermediary address before the attacker could complete a native bridge withdrawal back to Ethereum mainnet.

How the $292M Exploit Unfolded

At 17:35 UTC on April 18, an attacker minted 116,500 rsETH — worth approximately $292 million at the time — with no legitimate backing. KelpDAO, a liquid restaking protocol built on EigenLayer with around $1.07 billion in TVL, used a LayerZero-based OFT bridge to move rsETH across more than 20 networks. The bridge was configured with a 1-of-1 Decentralized Verifier Network (DVN) setup, with LayerZero Labs as the sole verifier.

According to on-chain forensics cited in the report, attackers compromised two of LayerZero's downstream RPC nodes by swapping op-geth binaries with malicious versions that selectively lied to the DVN. A DDoS attack against the remaining healthy nodes forced a failover to the poisoned endpoints, allowing a forged packet claiming origin from KelpDAO's Unichain deployment to release 116,500 rsETH from escrow. KelpDAO's emergency multisig paused core contracts 46 minutes later, causing two follow-up attempts to siphon another ~$100M to revert. Security researchers have preliminarily attributed the operation to North Korea's Lazarus Group.

The Council's Intervention

Blockchain security firm PeckShield flagged that the attacker had already initiated a native bridge withdrawal from Arbitrum One back to Ethereum mainnet — where recovery would become significantly harder. The Arbitrum Security Council, a 12-member body elected by the Arbitrum DAO through semi-annual elections, convened an emergency session. Council member Griff Green described "countless hours of debates, technical, practical, ethical and political." Using the standard native ETH transfer precompile at 0x0…0DA0, the council moved 30,766 ETH to a protocol-controlled intermediary. Lookonchain confirmed the freeze roughly 20 minutes after execution.

"The Security Council identified and executed a technical approach to move funds to safety without affecting any other chain state or Arbitrum users." — Arbitrum Security Council, April 21, 2026

The frozen funds represent about 24% of the $292M originally stolen; the remainder is believed to have been routed through other chains. Access to the intercepted ETH now requires a further Arbitrum governance vote. Dylan Dewdney, founder of Kuvi AI, compared the moment to TheDAO episode in Ethereum's history: "On one hand, decentralization purists will hate it. On the other, a DAO effectively looked at a state-sponsored hacking group and said: not this time. Arbitrum just demonstrated that onchain systems can defend themselves in real time."

LayerZero and KelpDAO Trade Blame

A dispute has opened between the two parties at the center of the exploit. LayerZero's post-mortem attributed responsibility to KelpDAO's configuration, noting that Kelp "chose to utilize a 1/1 DVN configuration" despite LayerZero's recommendation of multi-DVN redundancy. LayerZero announced it will stop signing messages for any application using a single-validator setup, forcing a migration across its ecosystem. The contagion from the original exploit was significant: attackers used stolen rsETH as Aave v3 collateral to borrow $196M in WETH, pushing Aave WETH markets to 100% utilization and contributing to roughly $6.6B in TVL leaving affected protocols within 48 hours.