Rewards Hub 
Arbitrum's Security Council froze 30,766 ETH worth approximately $71 million on April 20 at 11:26 PM ET, moving funds linked to the Kelp DAO bridge exploit into an intermediary wallet that nobody can touch without a full governance vote. Nine of the council's 12 members signed off on the emergency action after consulting with law enforcement about the exploiter's identity.
The freeze recovered roughly 25% of the $292 million stolen from Kelp's cross-chain bridge on April 18, making it one of the fastest high-stakes interventions in DeFi history. ARB rose 3.24% on the news, and the response from major DeFi protocols was overwhelmingly supportive. But outside that immediate circle, the reaction has been anything but unified. Critics are calling it proof that Layer 2 networks are centralized chains wearing decentralized clothing, while supporters argue that letting North Korean hackers walk away with $71 million to preserve philosophical purity is absurd.
Both sides have a point, and that tension is the real story here.
What the Security Council Actually Did
The Security Council used its 9-of-12 emergency multisig to execute the freeze. Under Arbitrum's constitution, emergency actions require 9 out of 12 council members to sign, and those actions are only permitted when user funds are at immediate risk. The council determined that the exploiter was actively moving stolen ETH through Arbitrum One and could bridge it out to other chains at any moment.
The frozen funds were transferred to an intermediary wallet controlled by the governance system. Accessing those funds now requires a full Arbitrum DAO vote, meaning ARB token holders will ultimately decide what happens to the $71 million. The council cannot spend, redirect, or return the funds on its own.
Arbitrum's governance documentation spells out the distinction clearly. The 9-of-12 multisig handles emergencies with immediate execution, while a separate 7-of-12 threshold handles routine upgrades with a built-in time delay. And everything else goes through the standard DAO proposal process. The freeze fell squarely into the emergency category, and the council followed the process outlined in Arbitrum's governance framework.
How the Kelp DAO Exploit Happened
The Kelp DAO attack on April 18 drained 116,500 rsETH from the protocol's LayerZero-powered cross-chain bridge, roughly $292 million and about 18% of rsETH's circulating supply. It was the largest DeFi exploit of 2026, and the root cause traced back to a dangerously simple 1-of-1 verifier configuration. When Kelp received messages through LayerZero's cross-chain protocol, only a single node was responsible for validating those messages before releasing funds. Attackers compromised two RPC nodes that fed data to this verifier, then launched a DDoS attack to knock the legitimate nodes offline and force a failover to attacker-controlled nodes. From there, they injected fraudulent cross-chain messages that the lone verifier approved without question.
LayerZero attributed the attack to North Korea's Lazarus Group, specifically the TraderTraitor subunit. The same group was linked to the Drift Protocol exploit on April 1, meaning Lazarus drained more than $575 million from DeFi in 18 days. LayerZero also pointed the finger at Kelp for ignoring repeated warnings to upgrade from a single-verifier setup, and announced it would no longer sign messages for any project using a 1-of-1 configuration.
The stolen rsETH moved across multiple chains, but 30,766 ETH ended up on Arbitrum One, where the Security Council was able to intervene before the funds left the network.
The Case for the Freeze
The supporters have a straightforward argument. The funds were stolen by a state-sponsored hacking group that has funneled billions in crypto theft toward North Korea's weapons programs. Law enforcement had identified the exploiter. The Security Council had a constitutional mechanism to act. And doing nothing would have meant watching $71 million disappear into North Korean coffers while pointing to decentralization principles as the reason.
Aave, SparkLend, and Fluid all froze rsETH-related positions on their own platforms within hours of the exploit, suggesting the broader DeFi ecosystem agreed that intervention was appropriate when the circumstances warranted it. The Arbitrum freeze was larger in scale but identical in logic.
There is also a practical argument about ecosystem credibility. If Arbitrum had the ability to freeze stolen funds and chose not to, every future exploit on the network would carry an implicit message that the chain prioritizes neutrality over user protection. For institutional participants evaluating Layer 2 networks, that is a meaningful risk factor.
The Case Against It
The critics are not arguing that recovering stolen funds is bad. They are arguing that the ability to freeze funds at all is the problem, regardless of how responsibly that ability is used today.
Charles Guillemet, CTO of Ledger, described the freeze as a reflection of existing design realities rather than a deviation from them. His point was not that the council acted wrongly, but that the freeze made visible the governance structures that most users did not realize existed. A 9-of-12 multisig that can freeze any address on the network is, by definition, a centralized control mechanism. The fact that it was used to freeze a hacker today does not change its ability to freeze anyone tomorrow.
Justin Sun jumped into the conversation to promote Tron as "the most decentralized blockchain," which tells you roughly how seriously to take that particular contribution. But the underlying criticism has more substance than Sun's marketing. If 9 people can override the state of a network that holds billions in user assets, the trust model is fundamentally different from what most Arbitrum users believed they were opting into.
The precedent question is real. Every future freeze request will be measured against this one. What happens when the exploiter is not Lazarus Group but a DeFi protocol that made a legitimate trade that someone else wants reversed? What happens when a government requests a freeze for sanctions compliance rather than theft recovery? The council's power does not come with an asterisk that limits it to sympathetic cases.
What This Reveals About Layer 2 Security
The uncomfortable truth is that most major Layer 2 networks operate with similar governance structures. Arbitrum's 9-of-12 Security Council is not an outlier, because Optimism runs a similar multisig setup and Base operates entirely under Coinbase's infrastructure. And until these networks complete their "progressive decentralization" roadmaps, centralized emergency powers are a feature, not a bug.
L2BEAT tracks the decentralization status of every major rollup, and the data is sobering. Most Layer 2 networks still have upgrade keys held by small groups, emergency pause functions that bypass governance, and sequencer infrastructure controlled by a single entity. Arbitrum is actually more decentralized than many of its competitors because its Security Council is elected by DAO token holders rather than appointed by a foundation.
The Kelp exploit exposed this reality for a mainstream audience, but the information was always public. Arbitrum's governance documents explicitly describe the Security Council's emergency powers. The constitution spells out the 9-of-12 threshold, and none of this information was hidden from anyone willing to look. The difference is that most users never read governance documentation until something forces them to.
|
Network
|
Emergency Mechanism
|
Threshold
|
Elected by DAO?
|
|
Arbitrum
|
Security Council multisig
|
9 of 12
|
Yes
|
|
Optimism
|
Security Council multisig
|
Variable
|
Partially
|
|
Base
|
Coinbase-controlled upgrade keys
|
Centralized
|
No
|
|
zkSync
|
Matter Labs upgrade keys
|
Centralized
|
No
|
What Happens to the $71 Million Next
The frozen funds sit in an intermediary wallet under governance control. The Arbitrum DAO must now vote on what to do with them. The most likely options are returning the funds to Kelp DAO (which would distribute them to affected users), holding them pending further law enforcement action, or some combination of the two.
This governance vote will be closely watched because it sets the template for future freeze events. If the DAO returns funds quickly and cleanly, it validates the Security Council's emergency framework as a legitimate recovery tool. If the process gets bogged down in political infighting or competing claims, it undermines the argument that governance can handle these situations responsibly.
The timeline for the vote has not been announced. Arbitrum governance proposals typically require a multi-day discussion period followed by a snapshot vote and then an on-chain execution delay. For $71 million in stolen funds with law enforcement involvement, the process could move faster or slower than standard proposals depending on the complexity of the claims involved.
Frequently Asked Questions
Can the Arbitrum Security Council freeze anyone's funds?
The council has the technical ability to execute emergency actions on the network, including freezing addresses. However, the Arbitrum constitution limits emergency powers to situations where user funds are at immediate risk, and any action requires 9 of 12 elected council members to sign. The frozen funds then move to governance control, where token holders decide what happens next.
Is Arbitrum decentralized if 9 people can freeze funds?
Arbitrum is in a phase called "progressive decentralization," meaning it still relies on a Security Council for emergency situations while gradually shifting control to the DAO. The council members are elected by ARB token holders, which adds a layer of accountability that fully centralized L2s lack. But the ability to override the chain state through a multisig is, by definition, a centralized control point regardless of how the signers are selected.
Who was behind the Kelp DAO exploit?
LayerZero attributed the $292 million exploit to North Korea's Lazarus Group, specifically the TraderTraitor subunit. The same group was linked to the Drift Protocol hack on April 1, 2026, bringing Lazarus-attributed DeFi losses to over $575 million in less than three weeks.
How much of the stolen Kelp DAO funds have been recovered?
The 30,766 ETH frozen by Arbitrum's Security Council represents approximately $71 million, or about 25% of the total $292 million stolen. The remaining funds were distributed across more than 20 chains and have not been recovered as of April 22.
Bottom Line
The Arbitrum freeze did exactly what it was designed to do. It stopped $71 million in stolen funds from disappearing into North Korean wallets, and it did so through a process that was constitutional, transparent, and supported by law enforcement intelligence. ARB holders will now vote on what happens to the money, which is more democratic than most traditional financial recoveries.
But the centralization question does not go away just because this particular use was justified. Every Layer 2 network with emergency multisig powers faces the same tension, and the Kelp exploit forced that conversation into the open. The networks that will win long-term trust are the ones that either remove these powers entirely through full decentralization or build governance frameworks strong enough that the powers are constrained by more than good intentions. Right now, Arbitrum is closer to that standard than most of its competitors, but closer is not the same as there.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.
