The Arbitrum Security Council used its emergency powers on April 21 to freeze approximately $71 million in ETH connected to a bridge exploit that drained Kelp DAO of roughly $292 million worth of rsETH (its liquid restaking token, which represents restaked ETH positions) three days earlier. The council confirmed that the frozen funds will only be moved through further action by Arbitrum governance, setting a significant precedent for how Layer 2 networks respond to on-chain theft.

The Exploit

The attack began on April 18 at 17:35 UTC. An attacker compromised two RPC nodes supporting LayerZero's decentralized verifier network, the system that Kelp DAO's cross-chain bridge relied on to confirm transactions. A simultaneous distributed denial-of-service (DDoS) attack forced the bridge's verification traffic onto the compromised nodes. This allowed the attacker to trick the bridge into releasing rsETH to an address they controlled, without any corresponding burn of tokens on the source chain. The drain totaled 116,500 rsETH, roughly 18% of the token's entire circulating supply of 630,000. Kelp's emergency multisig paused core contracts 46 minutes after the initial drain. Two follow-up attempts, each targeting approximately 40,000 rsETH, failed at 18:26 and 18:28 UTC, less than an hour after the initial drain.

The attacker then deposited 89,567 rsETH into Aave V3 as collateral and borrowed approximately $190 million in ETH and related assets across Ethereum and Arbitrum. The stolen funds were subsequently converted to ETH and consolidated across both chains; the $71 million represents the traceable on-chain portion that remained on Arbitrum and could be frozen. Because the rsETH backing that collateral is stolen and effectively unbacked, Aave now faces potential bad debt estimated at $123.7 million under a "socialized" scenario, where losses are spread across the protocol, or $230.1 million under an "L2 isolation" scenario, where losses are confined entirely to the Arbitrum deployment. AAVE token prices fell roughly 18 to 20 percent in the 25 hours following the exploit, dropping from around $112 to $89.50 (figures provisional and to be confirmed against CoinGecko at time of publication). Aave's total value locked shed an estimated $6 to $8 billion during the same period, according to CoinMarketCap and CryptoTimes, while broader DeFi outflows across the wider ecosystem reached approximately $15 billion, according to DL News.

A Public Dispute Over Responsibility

LayerZero attributed the attack with "preliminary confidence" to a state-sponsored actor, specifically North Korea's Lazarus Group subunit known as TraderTraitor. That attribution has not been independently verified.

The exploit was enabled in part by Kelp DAO's use of a 1-of-1 verifier configuration on its LayerZero bridge, meaning LayerZero Labs served as the sole verifier with no redundancy. LayerZero stated it had issued repeated warnings to move away from that setup. Kelp DAO fired back, noting that 40% of protocols currently using LayerZero run the same configuration and that LayerZero's own reference code ships with single-source verification as a default on major chains. Developer Artem K, known online as @banteg, publicly corroborated that position. Chainlink's Zach Rynes accused LayerZero of "deflecting responsibility" for infrastructure it controls. Aave founder Stani Kulechov clarified that Aave's contracts themselves were not exploited and that rsETH carried no borrowing power on Aave v3 or v4, meaning other users could not borrow rsETH as an asset; this is distinct from its use as collateral, since the attacker was able to post rsETH as collateral to borrow other assets against it, which is the mechanism through which the $190 million in loans was extracted.

Governance Takes the Wheel

The Arbitrum Security Council consists of 12 elected members and can execute emergency actions with a 9-of-12 multisig approval. The council used that power to freeze the $71 million in ETH still traceable on the Arbitrum network. Per the council's statement, any future movement of those funds must go through Arbitrum's broader governance process, meaning token holders will determine recovery options rather than the council acting unilaterally.

This mirrors a precedent set by Sui in May 2025, when validators froze approximately $162 million after the Cetus DEX hack. Sui's governance later approved returning recovered funds to victims with 90.9% of votes in favor. Arbitrum governance involves a larger token holder base and a tiered Security Council structure, unlike Sui's validator-led process, but the underlying principle is similar: emergency powers to freeze, democratic process to resolve.

Regional Stakes

Kelp DAO was built by Amitej G and Dheeraj B, the same founders behind Stader Labs, a liquid staking platform with roots in the Indian entrepreneurial ecosystem. The exploit is a direct blow to one of the most prominent DeFi teams to emerge from South Asia, where India remains among the top markets globally for grassroots crypto adoption. Indian retail users who held rsETH as a yield-bearing asset, whether directly or through any of the more than 40 DeFi platforms across 20-plus chains where rsETH was integrated, face direct losses or prolonged asset freezes.

In Africa, Arbitrum has become a preferred network for retail DeFi users in Nigeria and Kenya precisely because its transaction fees are far lower than Ethereum mainnet, a meaningful factor for users in cost-sensitive economies. The freeze of WETH borrowing capacity on Arbitrum, Base, Mantle, and Linea has directly restricted liquidity on the chains where African and South Asian retail users are most active. With WETH utilization on Arbitrum hitting 100%, smaller users, not just large funds, are caught in the fallout. ARB governance participation requires holding the token, which means the users most affected by the freeze have the least influence over its resolution.

What Comes Next

This exploit now ranks as the largest DeFi hack of 2026, surpassing the Drift Protocol breach on April 1 (approximately $285 million). North Korean-linked actors have now extracted more than $575 million from DeFi across the Kelp and Drift incidents combined, according to Unchained Crypto. The recovery process for Kelp DAO users will depend heavily on how Arbitrum's DAO votes to handle the frozen ETH and whether Aave's risk committees can contain the bad debt exposure before it cascades further. For developers building cross-chain infrastructure on LayerZero, the immediate lesson is direct: single-verifier bridge configurations carry systemic risk, and Kelp DAO estimates 40% of LayerZero protocols are still running the same configuration.