#Gate13周年现场直击

The exploit occurred on April 18, 2026, at approximately 17:35 UTC, targeting KelpDAO's LayerZero-powered rsETH cross-chain bridge.

Total Stolen Amount
An attacker drained 116,500 rsETH representing about 18% of rsETH's 630,000 token circulating supply valued at roughly $292 million at the time of the exploit. This is now confirmed as the largest DeFi hack of 2026.

How the Attack Was Executed:

The attackers, whose wallets were pre-funded via Tornado Cash, submitted a fraudulent LayerZero message (nonce 308) to the bridge's OFT adapter. This tricked the contract into releasing real rsETH without a corresponding burn on the source chain. Within minutes, the attackers funneled the stolen tokens into lending protocols like Aave. Hackers then used the stolen funds as collateral to borrow over $236 million in WETH and other assets.
The attack exploited a weak 1-of-1 DVN (Data Verification Network) configuration on the route, creating a single point of failure.

Funds Distribution Across Chains:

The attacker converted portions into ETH and routed funds across chains roughly $178 million on Ethereum mainnet and about $100 million onto Arbitrum.

Arbitrum's Emergency Freeze Action:

The Arbitrum Security Council seized 30,766 ETH from an address on Arbitrum One linked to the exploit and transferred it into a frozen intermediary wallet. The action was carried out without disrupting the network or affecting user activity. The funds will remain locked unless governance approves any further steps.
The transfer completed at 11:26 p.m. ET on April 20. The stolen funds are no longer under the control of the address that originally held them.
The Security Council, composed of 12 elected members who hold the keys to a 9-of-12 multi-signature wallet, utilized its emergency powers to execute the freeze. These funds cannot be moved again without a formal Arbitrum governance vote.

Recovered vs. Remaining Stolen Funds:

The Arbitrum Security Council froze 30,766 ETH ($71.15 million) approximately 29% of the ether the exploiter had accumulated across chains.
Following the Arbitrum freeze, the KelpDAO hacker moved all 75,701 ETH ($175 million) remaining on Ethereum and began laundering the funds.
On-chain investigator ZachXBT reported that the attackers had moved $1.5 million from Ethereum mainnet to Bitcoin via Thorchain, and another $78,000 routed through Umbra.

Who Is Behind the Hack:

LayerZero attributed the attack to North Korea's Lazarus Group. The attackers allegedly compromised RPC nodes in LayerZero's network, poisoning two nodes while launching DDoS attacks on a third.

Wallet / Blacklist Status:

As of April 20, the ETH has been moved to a frozen intermediary wallet, cutting off the exploiter's access. Any further movement of these funds will now require approval through Arbitrum's governance process in coordination with relevant authorities.

DeFi Market Reaction:

Total value locked across DeFi dropped from $26.4 billion on April 18 to nearly $20 billion by Sunday morning. The AAVE token fell more than 18% as depositors scrambled to withdraw funds.
Aave froze rsETH markets on V3 and V4 within hours. SparkLend and Fluid also froze their rsETH markets.
ARB Token Price Reaction
ARB was trading at $0.124 at the time of publication, down 2.5% over the past 24 hours.

Official KelpDAO Statement:

KelpDAO thanked the Arbitrum Security Council and ecosystem stakeholders, stating the team had worked closely and constructively with members of the Security Council over two days to execute the intervention. They acknowledged the exceptional efforts of Security Alliance's SEAL 911, whose coordination was instrumental in bringing clarity to the response.
KelpDAO said it is coordinating with ecosystem partners on a recovery fund and weighing next steps on unpausing, loss socialization, and legal coordination with affected counterparties.
Official Arbitrum Statement
Arbitrum's Security Council stated: "The Security Council acted with input from law enforcement as to the exploiter's identity, and, at all times, weighed its commitment to the security and integrity of the Arbitrum community without impacting any Arbitrum users or applications."
The council also stated it carefully chose a path that would isolate the issue without disrupting normal network activity.

Community & Social Media Sentiment:

Reaction was sharply divided.
On-chain security expert Taylor Monahan characterized the freeze as DeFi collectively acting against North Korean hackers, calling it a win for the industry. White hat hacker and Security Alliance founder samczsun described it as a major day for hack victims and expressed hope that the industry had realized it could build useful products while also protecting users.

Critics raised deeper concerns about governance centralization. One user wrote that this move exposed Arbitrum as a multisig wallet that can unilaterally freeze funds. Another noted: "When it matters most, governance overrides decentralization."

Arbitrum Security Council member Griff Green defended the decision, writing: "We did not make this decision lightly there were countless hours of debates, technical, practical, ethical and political. But all it takes for evil to triumph is for good men to do nothing."
Dispute Between LayerZero and KelpDAO
In the wake of the incident, a dispute emerged between LayerZero and KelpDAO over security configurations, with each party pointing to different documentation standards for the protocol's setup.

Security Lessons for Users and Protocols:
The incident exposed how interconnected bridges and oracles can amplify a single vulnerability into an ecosystem-wide shock.
Key lessons identified by the community and developers:
Never rely on a 1-of-1 DVN configuration for cross-chain messaging always use multi-verifier setups
Emergency pause functions must be in place and tested before incidents occur
KelpDAO responded by using its emergency pauser multisig to freeze core rsETH contracts roughly 46 minutes after the initial attack, blocking additional drains estimated at over $100 million
Cross-chain bridge configurations must be reviewed by independent auditors regularly
Protocols must review oracle dependencies and collateral risk on lending markets

Investigation Status (as of April 22, 2026)

Arbitrum freeze: Complete. 30,766 ETH locked in governance-controlled wallet

Law enforcement: Actively involved, provided identity input to Arbitrum Security Council

Lazarus Group (North Korea): Attributed as likely perpetrators by LayerZero

Remaining ~$175 million on Ethereum mainnet: Still being tracked on-chain, laundering in progress

KelpDAO recovery fund: Under coordination with ecosystem partners

Arbitrum governance vote: Pending on final disposition of frozen funds

Centralization Debate The Bigger Question:
This event has reignited the oldest debate in crypto: Can a blockchain be truly decentralized if its assets can be frozen? The KelpDAO intervention proves that on Layer 2 networks like Arbitrum, asset ownership is only as absolute as the code's emergency mechanisms allow.

Supporters described the action as necessary to protect users and maintain network stability. Critics argued it signals the presence of centralized control mechanisms in Layer-2 systems, raising questions about the validity of permissionless ownership.

Risk for Similar Protocols:

rsETH is deployed across more than 20 networks including Base, Arbitrum, Linea, Blast, Mantle, and Scroll. With the bridge reserve drained, holders on non-Ethereum deployments face questions about whether their tokens have sufficient backing, creating a feedback loop where panic redemptions on Layer 2s pressure the unaffected Ethereum supply.
More than $500 million was siphoned across the Drift and Kelp exploits in just over two weeks what once looked like isolated breaches now resembles a sustained campaign.

Final Market Outlook:

The KelpDAO exploit is a structural warning for the entire liquid restaking and cross-chain messaging sector. The Arbitrum Security Council's intervention unprecedented in scale and method partially contained the damage, but the majority of stolen funds remain in motion. The incident has accelerated industry-wide demand for multi-verifier bridge configurations, stronger oracle standards, and clearer emergency governance frameworks. Trust in DeFi bridges will require meaningful security upgrades before it fully recovers.

#Gate13周年
#CreatorCarvinal
#ArbitrumFreezesKelpDAOHackerETH