Arbitrum’s security council on April 21 used a system-level transaction to freeze 30,766 ETH linked to the KelpDAO exploit, in what is emerging as a key test of on-chain emergency powers. The action secured roughly $71 million of stolen assets without rolling back the blockchain or altering past transaction history.
The move followed a major breach on April 18 that drained about $292 million from KelpDAO, one of the largest decentralized finance incidents of 2026. The exploit has already spilled over into wider markets, cutting Aave’s total value locked from around $15 billion to $8.4 billion in two days as users pulled liquidity.
How the freeze worked on arbitrum
The freeze was executed via Arbitrum’s ArbOS framework using a special system transaction format, ArbitrumUnsignedTxType (EIP-2718 type 0x65/101). This transaction type:
- cannot be signed by any external account
- must originate from the protocol itself
- operates directly at the state level
Instead of undoing blocks, the mechanism forced a state update that transferred ETH away from the compromised address into an intermediary frozen wallet. All previous blocks and transactions remain unchanged on-chain.
Offchain Labs said this transaction type was specifically designed for emergencies under Arbitrum’s progressive decentralization roadmap. The security council, operating under a 9-of-12 multisignature scheme, authorized the move as a built-in safeguard to stem further misuse of the funds. Law enforcement input guided the selection of the frozen wallet.
Attacker’s address still live, but funds moved
The attacker’s private key remains valid and can still sign transactions from the original address. However, the ETH previously held there has already been moved under the protocol’s state transition rules.
Because no blocks were removed or revalidated, Arbitrum avoided a chain reorganization. This preserved the integrity of recorded blockchain history while changing the live state of ownership for the targeted funds.
Centralized failsafe inside a decentralized network
The intervention highlights a deliberate design choice: embedding a centralized emergency switch inside an otherwise decentralized system. While Arbitrum operates with a high degree of automation, the security council retains the authority to:
- execute emergency system-level transactions
- freeze or redirect compromised assets in defined scenarios
- act without a network-wide rollback
This structure offers a path to partial asset recovery in severe exploits but also concentrates power in a small, identified group. The episode puts fresh focus on who can influence the state of a ledger during crises and under what conditions.
Details of the KelpDAO exploit and market impact
The KelpDAO incident stemmed from a vulnerability in a cross-chain messaging system. That flaw allowed an attacker to illegitimately mint 116,500 rsETH tokens, amounting to about 18.5% of the token’s circulating supply before the attack.
Key consequences included:
- about $292 million drained from KelpDAO
- approximately $71 million later secured on Arbitrum via the council’s freeze
- rapid contagion to other protocols, most visibly:
- Aave’s total value locked dropping from around $15 billion to $8.4 billion within 48 hours
- liquidity stress and concerns over bad debt creation
The incident underlines how weaknesses in bridging and cross-chain communication layers can trigger systemic shocks, even in protocols that are not directly exploited.
What this means for risk assessment
The Arbitrum freeze adds a new dimension to asset security and governance analysis across chains and protocols. For market participants, key areas of scrutiny now include:
- governance structure of underlying networks
- existence of a security council or similar body
- size and threshold of multisignature controls
- scope of powers: can they freeze funds, alter state, or pause activity?
- transparency over member identities and accountability
- architecture of cross-chain and messaging layers
- history of audits and testing
- upgrade and emergency procedures
- dependency mapping between protocols (who is exposed if something fails?)
- contagion pathways
- how a failure in one protocol, particularly a bridge or messaging layer, can:
- force liquidations
- create bad debt
- trigger liquidity runs on seemingly unrelated platforms
- how a failure in one protocol, particularly a bridge or messaging layer, can:
As more value moves across chains, the KelpDAO exploit and Arbitrum’s response are likely to become reference points in debates about how much emergency power is acceptable in a system that aims to remain credibly neutral, and how those powers should be governed.
For deeper insight into crypto safety during protocol emergencies, explore Toobit Academy’s guide on improving crypto safety today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
