The Arbitrum Security Council took emergency measures to stop 30,766 ETH connected to a USD 290 million attack against KelpDAO, attributed to North Korea’s Lazarus Group. These funds will be inaccessible to the exploiter as they were held on Arbitrum One and then transferred to a before-frozen intermediary wallet on April 20 at 11:26 PM ET.
What the Freeze Happened?
The freeze stems from a design error in the cross-chain configuration of the rsETH token within the KelpDAO protocol. The exploit used a single LayerZero Decentralized Verifier Network (DVN), which is a major deviation from best practices recommending the use of multiple DVNs for redundancy in cross-chain configurations.
After law enforcement identified the attacker, the Arbitrum Security Council conducted “significant technical diligence” to isolate and move the funds without altering the state of any other chain or users on the Arbitrum network. The frozen ETH may only be moved by further Arbitrum governance through cooperation with the appropriate and relevant parties.
This case is unique in that Layer-2 Security Councils usually only act in emergencies at the protocol level; however, since this incident involved a state-sponsored hacking group and such a large-scale theft, there was a historical precedent for taking action. This is a new precedent in the crypto space as blockchain-related governance overrode law enforcement input.
DeFi Exploits in 2026: A Brutal Start
The KelpDAO incident was the largest decentralized finance (DeFi) hack of 2026, and it’s not the only DeFi exploit this year. On April 1, Drift Protocol lost USD 285 million when the attacker compromised its admin keys. Together, the KelpDAO and Drift Protocol exploits account for over USD 575 million or 74% of the $775 million in total DeFi losses recorded so far in 2026.
Other significant breaches include:
- CrossCurve bridge exploit (approximately USD 3 million in February)
- BlockFills bankruptcy (not a hack, however, USD 110 million insolvency)
- Bitcoin Depot hack (approximately USD 3.6 million in March)
- Matcha Meta Exploit (drained USD 16.8 million via Compromised Router in January)
- Makina Finance Exploit (USD 4.2 million lost from Curve Stablecoin Pool)
- Unleash Protocol Exploit (a governance breach that resulted in USD 3.9 million lost)
- Grinex Cyber Attack (the exchange suspended operations after USD 15 million hack in April)
As a result of the KelpDAO exploit, DeFi total value locked (TVL) has been reduced by USD 13 billion, with AAVE alone experiencing around USD 10 billion loss in value (at the time of writing) as users withdrew funds in panic.
What Comes Next for DeFi
Arbitrum’s freeze of over USD 70 million in funds linked to the KelpDAO protocol has created a contentious new precedent: chain-level governance can now permanently freeze assets related to off-chain exploits, even when the underlying protocol (KelpDAO) was not on Arbitrum. While supporters of this approach argue that it is necessary to protect against state-sponsored theft, detractors claim it undermines the decentralization of the DeFi ecosystem (the main idea of all of this).
Where are you at in this debate?. For now, we all hope developers have learned the lesson: multi-DVN setups will not be optional. Not surprisingly, LayerZero has announced that it will not sign messages for any applications using a single 1/1 DVN model in the future.
