The largest recent hacking incident in the DeFi space has seen new developments. On Tuesday, the Arbitrum Security Council took action to freeze approximately $71 million in stolen funds, but the attacker responded almost immediately. The incident began when an unknown attacker exploited a vulnerability in the Kelp DAO cross-chain bridge based on LayerZero, stealing 116,500 rsETH, valued at about $292 million, which accounts for approximately 18% of the token's total circulating supply.
The stolen rsETH was subsequently deposited into Aave V3 as collateral, and about $196 million in wrapped Ethereum was borrowed, causing Aave to incur bad debt not of its own making and triggering a confidence crisis in the DeFi space last week. The Arbitrum Security Council froze 30,766 ETH (worth approximately $71 million) and transferred it to a governance-controlled wallet. This was a swift and meaningful intervention.
The attacker did not sit idly by. Within hours of Arbitrum's action, the hacker began moving the funds. Arkham data confirmed that the Kelp DAO hacker had transferred all 75,701 ETH (approximately $175 million) and started laundering the money. Arbitrum's freezing operation successfully intercepted $71 million, but the remaining larger portion of $175 million has already begun to flow and is being actively concealed.
This outcome has sparked a debate that extends far beyond Kelp DAO and Aave. Arbitrum's ability to freeze wallet addresses (even in cases of clear theft) immediately raised questions about what blockchain immutability means in practice and who has the authority to override it. For some, this is a responsible crisis response by a mature ecosystem to protect users; for others, it is precisely the kind of centralized intervention that decentralized infrastructure aims to prevent.
What is indisputable is that this attack has damaged the broader credibility of DeFi. The Kelp DAO vulnerability exposed the collateral risks of lending protocols, causing an outflow of $8.45 billion from Aave, leading to a nearly 20% drop in the price of the AAVE token, and triggering a philosophical confrontation about the limits of decentralization at a time when the ecosystem most needed to demonstrate confidence.