Arbitrum freezes $71M in ETH linked to KelpDAO hack

On April 21, 2026, Arbitrum’s Security Council froze 30,776 ETH, roughly $71 million, on Arbitrum One that it traced to the KelpDAO exploit and moved the tokens into a wallet controlled by the council. The frozen funds can be released only after a governance decision.

The council traced the assets to addresses connected to the hack and acted before the tokens were bridged back to Ethereum for mixing. Arbitrum announced the action followed consultation with law enforcement and that the funds were relocated to a wallet inaccessible to the exploiter.

Arbitrum deployed a forced state transition to move the ETH. That technical method transferred tokens without a signature from the original wallet. The council wrote that the step aimed to limit bad-debt contagion on the layer and to protect funds tied to Arbitrum-native protocols. Arbitrum reported it has recovered roughly a quarter of the stolen funds on the layer, while questions remain about rsETH reserves and collateral backing on the L2 versus the Ethereum mainnet.

Protocols responding to the exploit took precautionary measures. Aave froze its two riskiest vaults and kept WETH reserves frozen on networks where it runs native markets, including Arbitrum, Base, Mantle, Linea and Ethereum Prime. Aave resumed WETH supply on its Ethereum Core V3 market with a WETH loan-to-value set at zero. Aave and other platforms noted that intercepting frozen funds could reduce an estimated $196 million in potential bad debt if the assets are recovered.

The exploit led to liquidations of rsETH-linked positions and other collateralized loans across multiple services. KelpDAO, affected protocols and LayerZero have been negotiating to trace the attack vector and seek recoveries.

Market flows reflected the disruption. Arbitrum reported about $300 million in outflows, lowering its total value locked to roughly $1.7 billion. Aave’s TVL fell to about $16.52 billion from near $25 billion before the breach.

In a public post, the Security Council wrote: “The Security Council acted with input from law enforcement as to the exploiter’s identity.” Council members debated the intervention before voting to act, acknowledging the trade-off between rapid responses to hacks and the longstanding principle of uncensorable on-chain ownership.

The forced transfer prompted debate across the crypto community. Supporters argued the action was needed to prevent losses spreading through decentralized finance’s composable infrastructure. Critics warned the power to alter state or blacklist addresses could change expectations about custody and on-chain control.