Original author: Shenchao TechFlow
Last week, KelpDAO was hacked, losing nearly $300 million, making it the largest negative security incident in DeFi this year to date.
The stolen ETH is now scattered across multiple chains, with approximately 30,765 remaining in an address on the Arbitrum chain, worth over $70 million.
This story was thought to be over, but today a sequel has emerged.
According to monitoring by the on-chain security firm PeckShield, the funds in the hacker’s address on Arbitrum were withdrawn a few hours ago—but strangely, the funds were sent to an unusual address consisting almost entirely of zeros: 0x00000...
Everyone was wondering: Did the hacker burn all the funds by sending them to a burn address, or did they have a change of heart or get recruited?
Neither.
Several hours ago, the official Arbitrum forum posted an emergency notice explaining the situation: the hacker's funds were moved by Arbitrum's Security Council.
Yet, remarkably, without knowing the hacker’s private key, the Arbitrum Council neither froze the hacker’s funds nor had the authority to transfer them—instead, they directly issued a transfer instruction “on behalf of the hacker.”
The hacker was unaware, the private key was not compromised, and the on-chain records appear as if the hacker performed the actions themselves.
The mechanism behind this action is that all cross-chain messages between Arbitrum and Ethereum must pass through a bridge contract called the Inbox. The Security Council used its emergency authority to temporarily upgrade this contract, adding a new function:
Initiate a cross-chain transaction on behalf of any wallet address without requiring the private key of that wallet.
They then used this function to forge a message, with the sender listed as the hacker’s wallet and the content stating, “Transfer all my ETH to the frozen address.” The Arbitrum chain processed it as usual, resulting in the strange on-chain transfer shown in the screenshot above.
After transferring the hacker’s funds, the contract immediately downgrades back to its original version. The upgrade, forgery, transfer, and restoration are all completed in a single Ethereum transaction, leaving other users and applications completely unaffected.
This action has no precedent in Arbitrum's history.
According to the forum announcement, the Security Council confirmed the hacker's identity in advance with law enforcement, pointing to North Korea’s Lazarus Group, the most active state-sponsored hacking group in the DeFi space this year. The Council conducted a technical assessment to ensure no impact on other users before taking action.
Since the hacker acted first, this move is somewhat like saying, "Don't blame us for not playing by the rules." As for how the frozen ETH will be handled next, it will require a DAO governance vote on Arbitrum, coordinated with law enforcement.
It’s certainly good news that over $70 million in stolen funds can be recovered. However, it’s worth noting that this is only possible because any core contract on-chain can be upgraded with zero delay, as long as nine out of the twelve members of the Security Council sign off—bypassing all governance votes.
Praise the results, but worry about the capability?
Currently, the community's reaction to this matter is divided.
Some people feel that Arbitrum handled things well by protecting assets at a critical moment, even boosting confidence in L2s. Others asked a straightforward question: If nine signatures are enough to move any asset under anyone’s name, is this still decentralized?
I believe both sides are not talking about the same thing.
The former speaks to the outcome, while the latter speaks to the capability. The outcome of this event is certainly positive—the over $70 million in stolen funds has been recovered. However, Arbitrum’s ability to modify contract functions via multisig is inherently neutral; what it will be used for in the future, whether it should be used, and how it will be used ultimately depend on the committee’s governance.
However, for most Arbitrum users, this discussion may be less practical than another fact: Arbitrum is not unique—most mainstream Layer 2 networks currently retain similar emergency upgrade permissions.
The chain you're using likely also has a similar security council with comparable capabilities. This isn't a unique choice by Arbitrum—almost all Layer 2 solutions currently adopt this general design.
From another perspective, this attack and defense actually reveals a larger picture.
The attacker is North Korea’s Lazarus Group, which has been attributed to at least 18 DeFi attacks this year. Three weeks ago, it stole $285 million from Drift Protocol using a completely different method.
On one side, state-sponsored hackers are continuously escalating their attack methods; on the other, Layer 2 solutions are beginning to leverage底层 permissions to counterattack. The security battle in DeFi is entering a new phase, moving beyond "post-incident freezes, on-chain appeals, and hoping for white-hat intervention."
During an emergency, a master key was forged to access the hacker’s address, and after the task was completed, the key was melted down. Just from this incident alone, having the capability to respond to a hacker attack is not bad.
But if we must elevate this to a philosophical debate about “this isn’t decentralized at all,” there’s plenty to discuss. Centralized practices are widespread in the crypto industry; at the very least, this instance involved addressing a negative event and resolving an issue, rather than creating one.
Looking back pragmatically, KelpDAO lost $292 million, and only $70 million has been recovered—less than a quarter of the total. The remaining ETH is still scattered across other chains, and over $100 million in bad debt on Aave remains unresolved; how much rsETH holders will ultimately recover is still unknown.
Even if Arbitrum invoked god-like powers, this battle is clearly far from over.