Arbitrum’s Security Council has taken emergency action to freeze 30,766 ETH, worth approximately $71 million, held at an address on Arbitrum One connected to the KelpDAO exploit. The move, executed on April 20 at 11:26 PM ET, came two days after the largest DeFi hack of 2026 drained nearly $292 million from the liquid restaking protocol.
How the freeze was executed
The Security Council acted with input from law enforcement regarding the exploiter’s identity, conducting what Arbitrum described as significant technical diligence to ensure the operation had no impact on regular users, applications, or any other chain state on Arbitrum One. The flagged ETH was transferred to an intermediary frozen wallet and can no longer be accessed by the original address.
Any future movement of the funds requires a formal decision by Arbitrum governance, which will be coordinated with relevant law enforcement agencies. The council stated it balanced its commitment to community security and network integrity throughout the process.
KelpDAO responded to Arbitrum’s announcement shortly after on X, expressing appreciation for the Security Council’s decision. In its post, the KelpDAO team said it had worked closely and constructively with members of the Security Council and the broader ecosystem over the preceding two days, describing the coordination as a positive collaboration under difficult circumstances.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
Background: The $292 million KelpDAO exploit
On April 18, attackers exploited KelpDAO’s cross-chain bridge, which was built on LayerZero infrastructure. KelpDAO is a liquid restaking protocol that accepts ETH deposits, routes yield through EigenLayer, and issues a receipt token called rsETH that users can move across chains. The bridge held reserves backing rsETH on more than 20 blockchain networks.
The attackers first poisoned two of LayerZero’s own verification servers, then overwhelmed backup nodes with a DDoS attack, forcing the verification layer onto compromised infrastructure. This allowed them to forge a cross-chain packet that released 116,500 rsETH, roughly 18.5% of the circulating supply, from the Ethereum adapter without burning any tokens on the source chain. The adapter balance dropped from 116,723 rsETH to just 223 rsETH in a single block.
The stolen rsETH was then deposited as collateral across Aave V3 markets on Ethereum and Arbitrum, where the attackers borrowed approximately 82,650 WETH and 821 wstETH. KelpDAO’s emergency multisig paused core contracts 46 minutes after the drain. Two follow-up attempts targeting 40,000 additional rsETH were blocked.
DeFi contagion and the $13 billion TVL wipeout
The fallout spread swiftly. Aave froze rsETH markets on V3 and V4, which resulted in $6.2 billion in net withdrawals within 24 hours, and pushed its total value locked from $45.8 billion to $35.7 billion. Freezing or restricting activity were at least nine protocols, SparkLend Compound Fluid Morpho and Euler. Pending identification of the root cause, Morpho suspended its cross-chain bridge for MORPHO. The total value locked across DeFi dropped by approximately $13.21 billion within 48 hours.
In a report issued to the Aave governance forum, risk firm Llamarisk estimated bad debt exposure across seven Aave markets of between $123.7 million and $230.1 million, depending on loss allocation. As of April 20, 2026, Aave DAO treasury holds approximately $181 million in assets.
Lazarus Group attribution and the LayerZero-Kelp dispute
LayerZero published a formal post-mortem on April 20 attributing the breach to North Korea’s Lazarus Group, specifically its TraderTraitor subunit, and confirmed cooperation with global law enforcement. The same group has been linked to the Drift Protocol exploit on April 1, which cost approximately $285 million, bringing the alleged combined haul to over $575 million in 18 days.
The two firms are publicly at odds over who bears responsibility. LayerZero says KelpDAO ran a 1-of-1 DVN configuration, a single-validator setup with no independent check, against its recommendations. KelpDAO counters that the compromised infrastructure was LayerZero’s own, noting that LayerZero’s default GitHub setup and quickstart documentation both point to a 1/1 DVN configuration.
Yearn Finance developer @banteg confirmed on X that LayerZero’s reference deployment ships with single-source verification defaults across major chains. Chainlink community manager Zach Rynes stated on X that LayerZero was deflecting responsibility for its own compromised infrastructure.
ARB price
The ARB token is trading at approximately $0.1224, with a 24-hour trading volume of around $91.5 million and a market cap of approximately $764 million, based on a circulating supply of 6 billion ARB tokens. The token is up roughly 14% over the past seven days and has recovered from its all-time low of $0.0865 recorded on March 29, 2026. Analysts note the token is attempting to build a base above the $0.10–$0.12 zone and has broken above its 21-day moving average for the first time since the summer of 2025.
