Arbitrum “Pretended to Be the Hacker” — And “Stole Back” KelpDAO’s Stolen Funds
Arbitrum “Pretended to Be the Hacker” — And “Stole Back” KelpDAO’s Stolen Funds
In DeFi , stories rarely end when the exploit transaction is mined. The KelpDAO incident — widely described as one of 2026’s largest DeFi security events — just got an unexpected sequel: Arbitrum executed an emergency onchain action that impersonated the exploiter’s address and moved ~ 30,765 ETH into a frozen vault address, effectively “stealing back” (or more precisely, freezing and seizing) the funds that were still sitting on Arbitrum One.
This post breaks down what happened, how it worked, and what it means for anyone using Layer 2, cross-chain bridges, and restaking / liquid restaking tokens in 2025–2026’s fast-moving crypto security landscape.
What happened: From a $ 292M bridge exploit to scattered ETH across chains
The KelpDAO exploit (April 18, 2026)
According to multiple incident analyses, the attack began around 2026-04-18 17:35 UTC and centered on KelpDAO’s rsETH cross-chain setup (built on LayerZero-style messaging and verification). In simplified terms, the attacker was able to forge / validate a cross-chain message under a configuration that created a single point of failure (e.g., “1-of-1” verification), allowing assets to be released as if a legitimate bridge withdrawal had occurred.
If you want a technical but readable breakdown, these are good starting points:
- Aave governance incident report (high signal and concrete timeline): rsETH Incident Report (April 20, 2026)
- Blockaid’s analysis (threat-model angle): How a Single LayerZero DVN Compromise Drained $ 292M from KelpDAO
- Hypernative’s deep dive (cross-chain message semantics): The KelpDAO Observation-Layer Exploit
- Industry recap with context (English): TechFlow report on the KelpDAO exploit
The “leftover” funds on Arbitrum: ~ 30,765 ETH
After major exploits, funds typically fragment: bridges, swaps, and hop routes scatter assets across multiple networks. In this case, a large chunk of ETH remained on Arbitrum One — about 30,765.6675 ETH — worth roughly $ 70M+ at the time of reporting.
The twist: Arbitrum impersonated the exploiter to move funds into a freeze vault (April 21, 2026)
On April 21, 2026 (11:26pm ET), Arbitrum’s Security Council executed an emergency action that:
- Temporarily upgraded an Arbitrum system contract (the Inbox contract on Ethereum),
- Added a function enabling an L1 → L2 message that could impersonate the transaction sender,
- Sent a cross-chain transaction that appeared to be from the exploiter address,
- Transferred the ETH into 0x0000000000000000000000000000000000000DA0 (a designated frozen address),
- Then upgraded the contract back to its original implementation — an “atomic” operational pattern designed to minimize the upgrade window.
Primary source:
News recap (Chinese):
You can also inspect the specific onchain artifacts from the forum post:
This is why people summarized it as: “Arbitrum pretended to be the hacker and stole the money back.” Technically, it was a governance-authorized emergency procedure that relied on Arbitrum’s upgrade / admin capabilities.
Why this matters: It’s not just a rescue story — it’s a decentralization reality check
1) “Code is law” meets “Security Council is law”
The crypto industry spent years moving from “admin keys everywhere” toward staged decentralization. But Layer 2 security councils and emergency powers still exist for a reason: fast response.
The Arbitrum action shows a hard truth:
- If a network can upgrade core contracts, it can also change who effectively controls funds under extraordinary conditions.
This is neither purely good nor purely bad — but it is a risk factor users must price in when choosing chains and protocols.
If you want to systematically evaluate these tradeoffs, it helps to check neutral infrastructure dashboards like:
2) Cross-chain bridge risk remains a top threat in 2025–2026
Even as audits and formal verification improved, bridge configuration and verification assumptions are still frequent failure points. The KelpDAO case reinforces a recurring pattern:
- The vulnerability is often not a single “buggy line of Solidity,” but a system design / configuration decision that creates a silent single point of failure.
Tracking exploit trends via public data can help users understand how common these events are:
3) The precedent problem: when is it acceptable to “seize” funds?
Arbitrum’s move will likely trigger debate across crypto Twitter, governance forums, and research circles:
- If it’s acceptable to freeze stolen funds, is it acceptable to freeze sanctioned funds?
- What about disputed ownership, protocol insolvency, or court orders?
- Who decides what qualifies as an “emergency,” and what are the safeguards?
The key point for users: these powers exist — and your risk model should reflect them.
Practical takeaways for DeFi users: what you should do differently after KelpDAO
1) Treat bridges and “omnichain assets” as higher-risk than single-chain assets
If your strategy depends on bridging (or holding bridged representations), consider:
- Limiting position size on bridged assets
- Preferring routes with stronger, multi-party verification assumptions
- Avoiding “new chain + new bridge + new LRT” stacks unless you can tolerate tail risk
2) Assume every approval can become a loss event
Many nine-figure incidents ultimately monetize through allowances, signatures, and permission surfaces users don’t re-check.
Basic hygiene that still works:
- Use separate wallets for long-term holdings vs active DeFi
- Revoke approvals periodically (especially after interacting with new protocols)
- Verify domains carefully (phishing often spikes right after major incidents)
3) Hardware wallets help — but only if you use them intentionally
A hardware wallet can’t magically make DeFi safe, but it can materially reduce certain classes of risk by keeping keys offline and forcing explicit confirmation for sensitive actions.
If you’re using OneKey, the most relevant habit is: slow down at the signing step. Treat every signature / approval as a real financial decision, especially on high-speed L2 environments where attackers rely on user urgency.
What happens next: Governance decides whether frozen funds can be released
Arbitrum’s forum post is explicit: the ETH is frozen, and a subsequent action by Arbitrum Governance is required to release it (presumably coordinating with affected parties and any ongoing investigations). See the official wording and evolving discussion here:
In other words, the “steal-back” chapter is not a clean reversal — it’s the start of a governance, legal, and social coordination process.
Closing thought
KelpDAO’s exploit and Arbitrum’s emergency response highlight a defining theme of 2025–2026 crypto: security is no longer just about smart contracts — it’s about configuration, cross-chain assumptions, and governance power.
If you participate in DeFi today, your edge isn’t just yield — it’s understanding where control really sits when something breaks.
