Arbitrum Secures $71 Million in Ether Linked to Kelp DAO Exploit

A significant portion of the Kelp DAO exploit funds has been immobilized. Arbitrum's Security Council took decisive action on Monday, freezing approximately $71 million worth of ETH, valued at 30,766 ETH, which was linked to the $292 million rsETH exploit that occurred on Saturday. This liquid restaking token, issued by KelpDAO, represents a user's stake in restaked ether. The Security Council, acting on law enforcement's identification of the exploiter and with their input, moved the funds to an intermediary wallet that can only be accessed through further governance action on Arbitrum. The council ensured that the freeze did not affect any users or applications on the network. According to Arbitrum's statement, the transfer was completed at 11:26 p.m. ET on April 20, effectively removing control of the stolen funds from the original address. This move successfully recovers about a quarter of the total amount drained from Kelp's LayerZero-powered bridge, which was exploited by attackers who pulled 116,500 rsETH by compromising verifier infrastructure. The attack has been preliminarily attributed to North Korea's Lazarus Group by LayerZero. As a layer-2 blockchain built on Ethereum, Arbitrum's Security Council has emergency powers to intervene in such scenarios, although governance-level actions on user funds are rare and can be contentious due to the introduction of discretionary control. The freeze provides Kelp with a partial recovery option, in addition to any potential recoveries by law enforcement and chain-tracing firms. It also raises questions about the responsibility for the exploit between Kelp and LayerZero, as any further distribution of losses now has a $71 million offset before other measures like legal action, insurance, or treasury contributions are considered. Kelp is currently exploring a recovery fund with ecosystem partners and evaluating next steps, including unpausing and socializing losses, as well as legal coordination with affected parties. The potential for freezing additional stolen funds depends on the attacker's movements of rsETH or its derivatives and whether other chains with similar emergency powers decide to act.