The April 18 attack targeted Kelp DAO, a liquid restaking protocol that held over $628 million in total value locked and served more than 15,000 holders of its rsETH token. Attackers, later attributed to North Korea's Lazarus Group by security firms Halborn and Chainalysis, compromised two RPC nodes (the data relay points that feed information to the bridge's verification system). They then launched a distributed denial-of-service attack against the remaining legitimate nodes, forcing the bridge's sole verifier to rely exclusively on the attacker-controlled data sources. The poisoned verifier signed off on the release of 116,500 rsETH, roughly 18% of the token's entire circulating supply, to attacker-controlled wallets. Total losses are estimated at between $292 million and $294 million. Malware deleted itself and erased local logs after the theft to cover tracks.

Three days after the exploit, the Arbitrum Security Council moved to intercept 30,765.67 ETH that the attacker held on the Arbitrum network. The Council temporarily modified Arbitrum's inbox contract on Ethereum to impersonate the exploiter's wallet address, redirecting those funds to a dead address (0x0000000000000000000000000000000000000DA0) where they remain frozen. The contract was then reverted to its original state. The Council says the action did not affect any ordinary Arbitrum users or applications, and the move was coordinated with law enforcement, which had information regarding the attacker's identity.

Offchain Labs co-founder Steven Goldfeder defended the decision to act without first holding a DAO vote. "The default was do nothing," he told CoinDesk, explaining why the Council chose to intervene. He also described the technical approach as "a way to do it in a very surgical way… without affecting any other user." On the question of broader consultation, he was direct: "The DAO cannot be consulted, because the second the DAO is consulted, that essentially means North Korea is consulted."

On April 25, a coalition of five protocols filed a Constitutional AIP (a governance proposal subject to the highest approval threshold in Arbitrum's system) to redirect the frozen funds. The filers are Aave Labs, Kelp DAO, LayerZero, EtherFi, and Compound. If the vote passes, the ETH will be sent to a 2-of-3 Gnosis Safe (a multisignature wallet requiring two of three keyholders to authorize any transaction) jointly controlled by Aave Labs, Kelp DAO, and formal verification firm Certora. From there it would be deployed exclusively toward the DeFi United recovery effort. Constitutional AIPs require multiple stages, including a temperature check, a Snapshot vote, and a full on-chain vote, and the process can take up to 49 days to complete.

The frozen ETH represents roughly 40% of the total rsETH shortfall, which stands at approximately 163,200 ETH. DeFi United, described as the first coordinated multi-protocol recovery effort in DeFi's history, has already collected pledges from Aave, Lido, EtherFi, Ethena, Mantle, Ink Foundation, and BGD Labs. Aave's prominent role in both the recovery coalition and the governance filing reflects its direct financial exposure: CoinDesk reported that Aave could face up to $230 million in losses from the Kelp DAO exploit. Individual contributors include Consensys founder Joseph Lubin, who pledged up to 30,000 ETH, and Aave founder Stani Kulechov, who committed 5,000 ETH personally. The DeFi United Tracker confirmed the recovery target was reached on April 26, four days before the DAO vote began.

Community micro-donations contributed a further 591.65 ETH, and TRON and HTX injected $20 million in USDT into Aave V3 as additional liquidity support.

The exploit had consequences well beyond Kelp DAO. Within 48 hours of the attack, approximately $13 billion in value exited DeFi platforms globally. Aave, SparkLend, and Fluid froze their rsETH markets immediately, cutting off access to funds for retail users who depend on these platforms for yield or dollar-denominated savings and have few alternatives available to them. That kind of rapid contagion is particularly significant in high-adoption emerging markets. The 2026 Global Crypto Adoption Index ranks India first, Nigeria second, Pakistan eighth, Ethiopia tenth, Kenya thirteenth, and Ghana twentieth globally. Sub-Saharan Africa recorded 184% year-over-year growth in DeFi and Layer 2 activity, with Arbitrum specifically cited as a key network for retail participation because of its low transaction costs. For users in those markets, a 49-day governance window is not an abstract procedural delay. It is a period during which positions remain illiquid and uncertainty about recovery persists.

The Security Council's intervention has also reopened a long-standing debate about where emergency powers begin and end in networks designed to be decentralized. The Council has 12 members serving six-month rotating terms, elected by ARB token holders, and Arbitrum Foundation research head Patrick McCorry noted: "This is a very transparent part of the system… You can see exactly what powers they have." Still, no formal published criteria govern when the Council may invoke those powers, and community members are now pressing for a documented framework. The outcome of this vote will shape how Arbitrum, and the broader L2 ecosystem, manages the tension between censorship resistance and emergency response for years to come.