Arbitrum, in the Name of a Hacker, 'Stole' Back $70 Million in Stolen Funds
- Core Viewpoint: The Arbitrum Security Council utilized emergency powers to successfully recover approximately $70 million worth of ETH that was stranded on its chain from the KelpDAO hack. This was achieved through a temporary upgrade of the core contract and the forging of a transaction. This action demonstrates a new capability for L2s to respond to high-level security threats, but it has also sparked community discussions regarding the centralization of its governance authority.
- Key Elements:
- The Arbitrum Security Council, via a 9/12 multi-signature, temporarily upgraded the cross-chain bridge contract, adding a function to initiate transactions "in the name of any address" without requiring a private key. The upgrade, fund transfer, and reversion were completed within a single transaction.
- This action targeted an address confirmed by law enforcement as belonging to the North Korean hacker group Lazarus Group. The subsequent handling of the recovered funds requires a DAO governance vote and coordination with law enforcement.
- Community reaction is divided: one side praises its effectiveness in protecting assets and boosting confidence; the other side questions whether the authority for a 9-person multi-signature to bypass governance and manipulate assets violates decentralization principles.
- Analysis points out that such emergency upgrade authority is a common design among mainstream L2s, not unique to Arbitrum. The capability itself is neutral, and its specific use depends on the governance framework.
- The event marks an escalation in DeFi security confrontations: attackers are sophisticated, state-level hacker groups with varied tactics, while defenders are beginning to leverage underlying protocol permissions for active countermeasures.
- This recovery only represents about one-quarter of the stolen funds (approximately $70 million out of $292 million). The remaining funds are scattered across multiple chains, and issues such as over $100 million in bad debt on Aave remain unresolved.
Original Author: Deep Tide TechFlow
Last week, KelpDAO was hacked for nearly $300 million, marking the largest negative security incident in DeFi so far this year.
The stolen ETH is now scattered across multiple chains, with approximately 30,765 ETH remaining in an address on the Arbitrum chain, valued at over $70 million.
Just when it seemed this story was over, a new chapter emerged today.
According to on-chain security firm PeckShield's monitoring, the funds in the hacker's address on the Arbitrum chain were transferred out a few hours ago. Strangely, the funds were sent to a bizarre address that appears to be almost all zeros: 0x00000...
Everyone was speculating: Did the hacker burn all the funds by sending them to a black hole address? Or did they have a change of heart or get recruited?
Neither.
A few hours ago, the Arbitrum official forum posted an emergency action notice explaining the situation. The hacker's funds were transferred by the Arbitrum Security Council.
However, the remarkable part is that without knowing the private key of the hacker's address, the Arbitrum Council neither froze the hacker's funds nor had the permission to transfer them. Instead, they directly issued a transfer instruction "in the hacker's name."
The hacker was unaware, the private key was not leaked, and the on-chain record appears as if the hacker performed the operation themselves.
The principle enabling this operation is that all cross-chain messages between Arbitrum and Ethereum must pass through a bridge contract called the Inbox. The Security Council used its emergency authority to temporarily upgrade this contract, adding a new function:
It can initiate cross-chain transactions in the name of any wallet address, but without needing that wallet's private key.
They then used this function to forge a message, with the sender field written as the hacker's wallet, and the content being "transfer all my ETH to the frozen address." The Arbitrum chain received it and executed it as usual, resulting in the bizarre scene captured in the on-chain transfer screenshot above.
After transferring the hacker's funds, the contract was immediately downgraded back to its original version. The upgrade, forgery, transfer, and restoration were all completed within a single Ethereum transaction. Other users and applications were completely unaffected.
This operation has no precedent in Arbitrum's history.
According to the forum announcement, the Security Council confirmed the hacker's identity with law enforcement beforehand, pointing to North Korea's Lazarus Group, the most active state-level hacker organization in the DeFi space this year. The Council conducted a technical assessment and ensured no impact on other users before taking action.
Since the hacker was in the wrong first, this move carries a bit of a "don't blame us for not playing by the rules" sentiment. As for the subsequent handling of the frozen ETH, it will go through Arbitrum's DAO governance vote and be coordinated with law enforcement.
Recovering over $70 million in stolen funds is certainly a good thing. However, the premise enabling this action is noteworthy: with signatures from 9 out of the 12 Security Council members, they can bypass all governance votes and upgrade any core on-chain contract with zero delay.
Praising the Outcome, Worrying About the Capability?
Currently, the community's reaction to this event is divided.
Some feel Arbitrum did a great job, protecting assets at a critical moment, which actually adds a bit of confidence in L2s. Others ask a very direct question: If 9 signatures can move any asset in anyone's name, can this still be called decentralization?
In the author's opinion, the two sides are not actually talking about the same thing.
The former is discussing the outcome, the latter the capability. The outcome of this event is undoubtedly positive—over $70 million in stolen funds was recovered. However, the capability demonstrated by Arbitrum this time—the multi-signature ability to modify contract functions—is neutral in itself. This time it was used to pursue a hacker; what it's used for in the future, whether it can be used, and how it's used, all depend on the governance of the committee.
However, for most people using Arbitrum, this discussion might be less practical than another fact. Arbitrum is not unique; currently, almost all mainstream L2s retain similar emergency upgrade permissions.
The chain you use most likely also has a similar Security Council with similar capabilities. This is not a unique choice by Arbitrum; it's a common design for L2s at this stage.
Looking at it from another angle, this offensive and defensive battle actually reveals a larger picture.
The attacker was North Korea's Lazarus Group, attributed to at least 18 DeFi attacks since the beginning of this year. Just three weeks ago, they stole $285 million from Drift Protocol using a completely different method.
On one side, state-level hackers are constantly upgrading their attack methods; on the other, L2s are beginning to utilize underlying permissions to counterattack. The security war in DeFi is entering a new phase, moving beyond "post-incident freezing, on-chain announcements, praying for white hats to intervene."
In an extraordinary time, they forged a master key to open the hacker's address, then melted the key after the deed. Judging solely by this event, having the capability to respond to hacker attacks is not a bad thing.
And if we must elevate this to a philosophical discussion of "this is not decentralized at all," then there is much more to say. The crypto industry is no stranger to various centralized operations. This time, at least, it was handling a negative event and solving a problem, rather than creating one.
Looking back more pragmatically, KelpDAO lost $292 million, and only over $70 million was recovered, less than a quarter of the total. The remaining ETH is still scattered across other chains. Over $100 million in bad debt on Aave remains unresolved, and it's still unknown how much rsETH holders will recover.
Even though Arbitrum invoked god-like permissions, this battle is clearly far from over.
