Skip to content
- Arbitrum froze 30,766 ETH tied to KelpDAO exploit, funds are now locked via governance control.
- KelpDAO hack minted 116,500 rsETH via LayerZero bug, causing $177M–$200M in Aave debt.
- Freeze shows L2 reliance on multisig governance, raising decentralization concerns.
Arbitrum has faced renewed scrutiny after governance actors froze funds tied to the $292 million KelpDAO exploit. The intervention has raised questions about decentralization and highlighted the role of emergency controls within leading layer-2 networks under stress conditions.
Charles Guillemet, chief technology officer at Ledger, said in a post on X that the move reflects a structural reality across scaling networks. Many systems rely on trusted groups that can intervene when risks escalate. He described the action as a “state-changing” event.
However, the action came two days after the exploit. Arbitrum’s Security Council froze 30,766 ETH linked to the attacker. The funds were moved to an intermediary wallet. Access to these assets now depends on further governance decisions.
Arbitrum Multisig Freeze Follows KelpDAO Hack
Guillemet noted that human-controlled keys executed the freeze. This action overrode standard on-chain behavior. So far, no vulnerability in Arbitrum’s smart contracts was used to carry out the freeze. The intervention relied on predefined emergency powers.
These protocols are not hidden in the background of these networks. Arbitrum has upgradeable contracts and emergency controls. They are commonly run using multisig wallets. This gives room for the governance members to act in the event of any emergency.
Additionally, other blockchains also have such protocols. Optimism and zkSync are also running on governance protocols. The systems can operate under certain circumstances. Moreover, several rollups are classified as belonging to decentralized governance phases.
However, the motive behind the action is the attack on KelpDAO. More than 116,500 rsETH tokens were generated without any security backing. The tokens were then utilized as collateral on lending platforms.
The exploit resulted from a cross-chain bridge bug. While it was linked to infrastructure associated with LayerZero. The attacker created fake transaction messages. This led to the creation of unsupported tokens.
Also Read: Coinbase Expands UK Crypto Loans With $5M Limit and Instant Access
The impact spread across major DeFi protocols. Aave absorbed large losses due to fake collateral. Estimates placed bad debt between $177 million and over $200 million. The event disrupted lending markets.
Aave Outflows Rise as Governance Risks Surface
Large withdrawals followed the incident. Billions in ETH exited Aave within days. Its total value locked dropped sharply. The reaction reflected concerns about system exposure.
Guillemet said the freeze did not break the system. He argued it exposed underlying assumptions. Governance actors retained the ability to influence outcomes. This applies across much of the DeFi stack.
He noted that permission levels differ depending on the platform. Upgradeable smart contracts continue to be prevalent. Oracle dependencies are very common. Multisignature governance keeps support operations
This event illustrates one of the most fundamental design choices. It is more difficult to defend permissionless systems. Governed systems can make quick decisions. Each approach introduces different risks.
Here, the freeze would have probably restricted any further action on the funds. It further highlights the necessity for human involvement as part of modern systems. Layer-2 systems can depend on the governing principle during extreme situations.
Guillemet mentioned long-term fixes for the problem. He stressed better cryptographic assurances. Systems that depend on proof-of-validity would decrease the need for governance. These approaches aim to enforce outcomes through mathematics rather than human control.
Also Read: LayerZero Attack Triggers $290M Loss as rsETH Weakness Exposed
