Arbitrum Emergency Authority Recovers KelpDAO Stolen Funds, Sparking Debate on L2 Security Governance

BroadChain has learned that at 16:16 on April 21, according to TechFlow, KelpDAO suffered a theft of nearly $300 million in assets last week, making it one of the largest security incidents in the DeFi space this year. Among these, 30,765 ETH worth over $70 million remained in an address on the Arbitrum chain. On-chain monitoring revealed that the funds from this address were recently transferred to an all-zero address, sparking speculation. The Arbitrum official forum subsequently disclosed that its Security Council invoked emergency powers. By temporarily upgrading the core cross-chain bridge contract Inbox, the Council added a new function, allowing it to forge a cross-chain message in the name of the hacker's address without possessing the private key, thereby instructing the transfer of funds to a frozen address. After the operation was completed, the contract was immediately downgraded, with the entire process packaged in a single Ethereum transaction, without affecting other users. Arbitrum stated that this action was coordinated in advance with law enforcement, confirming the attacker's connection to the North Korean Lazarus Group, and underwent technical evaluation. Among the 12 members of the Security Council, signatures from 9 are required to execute such emergency upgrades, without the need for governance voting. Community reactions have been divided: some affirm the effectiveness of the swift asset recovery, while others question the deviation from decentralization principles. Analysis points out that current mainstream L2s generally have similar security councils and emergency power mechanisms, which are not unique to Arbitrum. This incident also reflects a new trend in DeFi security confrontations: state-level hacker groups continue to evolve their attack methods, while Layer 2 networks are beginning to utilize underlying permissions for direct intervention. Although some funds were recovered, the total theft from KelpDAO amounted to $292 million, with remaining assets scattered across multiple chains, and issues such as over $100 million in bad debt on Aave remain unresolved.