Arbitrum’s Security Council has executed an emergency measure to secure funds associated with the recent KelpDAO exploit after discovering that 30,766 ETH was held on Arbitrum One in an address linked to the attacker. User activities were not affected during this operation.

Security Council Action

The council announced it had worked alongside law enforcement to ascertain the identity of the exploiter. The action was taken to safeguard the integrity of the network. Following thorough technical assessment and discussions, Arbitrum’s Security Council devised a strategy to isolate and transfer the assets without disturbing the state of the blockchain or its users. The funds were relocated to an intermediary wallet, thereby freezing them and restricting access from the original address.

The official statement disclosed that the transfer was completed on April 20 at 11:26 PM ET. No further transfer of the funds can occur without governance-level involvement with relevant parties.

Just prior to this intervention, Onchain Labs highlighted that the exploiter seemed to have burned the 30,766 ETH valued at approximately $70.94 million within Arbitrum.

The KelpDAO Hack

The incident dates back to the KelpDAO exploit on April 18, which resulted in the loss of about 116,500 rsETH tokens, amounting to around $292 million. This event was recognized as one of the most significant breaches in DeFi over the course of the year. Attackers exploited KelpDAO’s cross-chain bridge that utilized LayerZero Labs infrastructure. As per LayerZero, the attacker accessed components of its decentralized verified network by compromising RPC nodes and disturbing regular operations, which enabled the approval and execution of fraudulent cross-chain messages.

LayerZero attributed the extent of the breach to KelpDAO’s implementation of a 1-of-1 verification setup, which lacked independent verification measures. KelpDAO responded by stating:

“The 1-of-1 DVN setup is part of the configuration documented in LayerZero’s guidelines and was implemented as the default for any new OFT deployment. Kelp has functioned on LayerZero infrastructure since January 2024 and has kept an open line of communication with the LayerZero team throughout this period.”

The ramifications extended beyond the bridge as a considerable portion of the assets stolen flowed into lending protocols. For instance, on Aave V3, the attacker deposited rsETH as collateral and borrowed large sums of wrapped ETH, which raised concerns over potential bad debt within the protocol.