The Security Council of the L2 network Arbitrum has taken "emergency measures" by freezing 30,766 ETH (approximately $71.2 million) that were stolen from the Kelp protocol.
The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times,…
— Arbitrum (@arbitrum) April 21, 2026
“The team acted with consideration of law enforcement's opinion regarding the identity of the hacker and consistently took into account its obligations to ensure the safety and integrity of the community, without affecting users or applications,” the statement said.
The funds have been sent to a "temporary frozen wallet." The original address no longer has access to them; only the project management can move the assets now.
Legitimate owners will receive their coins after an agreement is reached.
On April 21, 2026, on-chain detective ZachXBT reported that the hacker behind the Kelp breach began laundering the stolen funds. The perpetrator converted approximately $1.5 million worth of Ethereum into Bitcoin via THORChain and another $78,000 through the Umbra protocol.
Meanwhile, PeckShield reported a movement of $176 million through THORChain, Umbra, Chainflip, and BitTorrent.
Analyst EmberCN added that after Arbitrum's freeze, the cybercriminal withdrew about 75,700 ETH (around $175 million) from Ethereum, including small transactions via Umbra.
Decentralization Disputes
The freezing of cryptocurrency is a contentious issue. Opponents argue that it contradicts the spirit of the technology, while supporters believe that blocking crime-related funds strengthens the security and integrity of the blockchain.
Many users criticized Arbitrum's actions and questioned the decentralization of the network.
so a council can just freeze 30k eth and we’re still calling this decentralized?
— Sandy.ETH (@david_lee2085) April 21, 2026
“So some council can just freeze 30,000 ETH, and we’re still calling this decentralization?” wrote a user under the nickname Sandy.ETH.
The situation also became a source of jokes.
is it truly decentralised??? pic.twitter.com/wxHCRP3QWa
— Nozomi (@NozomiNetwork) April 21, 2026
Griff Green, a member of the Arbitrum Security Council, responded to community complaints. He stated that the decision was not made lightly, and all participants spent "countless hours" discussing the freeze from technical, practical, ethical, and political perspectives.
I'm a member of the Security Council & I can tell you we did not make this decision lightly, there were countless hours of debates, technical, practical, ethical and political.
— Griff Green — griff.eth (@griffgreen) April 21, 2026
But all it takes for evil to triumph is for good men to do nothing, so today, we decided to do… https://t.co/tArbmXwZKN
Green emphasized that not all council members voted for the asset freeze; nine out of twelve members supported it.
Irrecoverable Debt for Aave
One of the victims of the Kelp hack was Aave. Earlier, Lookonchain reported that the incident left the protocol with a "hole" in its balance of approximately $195 million.
A risk management specialist from the lending platform LlamaRisk described two potential scenarios for how the irrecoverable debt could impact the ecosystem.
Update on rsETH incident:@LlamaRisk has published a report outlining the rsETH incident, the immediate actions taken, its impact on Aave, and potential paths forward.
— Aave (@aave) April 20, 2026
All service providers have been working to assess the two potential bad debt scenarios on the Aave protocol.…
The first scenario involves distributing losses among all rsETH holders in the Ethereum mainnet and L2 solutions. In this case, the "hole" in Aave's balance would be about $123.7 million, and rsETH could depreciate by 15% against the leading altcoin.
LlamaRisk noted that in this scenario, losses would be distributed more evenly across all blockchains. wETH would "absorb most of the absolute losses but would hardly notice it relative to the depth of its reserves."
Aave has a tool—the Umbrella security model—to cover losses in wETH. 18,922 aWETH (approximately $43.7 million) have already completed the cooling phase and are ready for withdrawal from staking.
The second scenario places the entire deficit on the second layer (Arbitrum, Mantle). In this case, the irrecoverable debt would reach $230.1 million.
LlamaRisk reminded that Aave has about $181 million in its treasury—these reserves can be used to cover potential deficits.
Recently, Kelp announced that it is continuing to assess the damage from the hack and the possibilities for safely resuming protocol operations.
— Kelp (@KelpDAO) April 20, 2026
Dragonfly partner Haseeb Qureshi believes that the current risks do not threaten the DeFi sector. He argues that Aave and similar protocols have enough capital to cover irrecoverable debts.
DeFi learns through failures. Whether it's from the collapse of Terra, broken auctions during Black Friday in 2020, or the stETH depeg in 2022, it has failed over and over again—but with every failure, it improves.
— Haseeb >|< (@hosseeb) April 20, 2026
People talk all sorts of shit about this, but it's no different…
“DeFi learns from mistakes. Whether it’s the collapse of Terra, auction failures during Black Friday 2020, or the stETH depeg in 2022—every failure makes the ecosystem better. […] DeFi is here to stay,” the expert wrote.
Blame on LayerZero
The Kelp team also shared initial findings from the hack investigation. Developers shifted the blame to LayerZero, which previously stated that the hack was due to the project's use of a 1/1 DVN configuration.
“The 1/1 scheme is described in LayerZero's documentation and is used by default for any new deployment of OFT. We have been working on their infrastructure since January 2024 and have maintained communication throughout this time,” Kelp noted.
Protocol representatives added that the issue of configuring DVN was raised during the expansion to L2. They stated that the standard configuration was "approved as compliant with requirements."
As of this writing, LayerZero has not responded to Kelp's statements.
Justin Sun's Proposal
TRON founder Justin Sun reached out to the Kelp hackers, urging them to negotiate.
OK — Kelpdao hacker, how much you want? Let’s just talk. With KelpDAO’s help, of course. It’s simply not worth it to sacrifice both Aave and KelpDAO and let them go down over this hack. You can’t spend $300 million anyway.
— H.E. Justin Sun 👨🚀 🌞 (@justinsuntron) April 19, 2026
“Hacker, how much do you want? Let’s talk. With Kelp's involvement, of course. It’s not worth sacrificing both Aave and Kelp, allowing them to collapse due to this hack. You can’t spend $300 million anyway,” he wrote.
Sun's motives remain unclear. However, addresses associated with his exchange HTX transferred hundreds of millions to Aave. According to Protos, as of December 2025, over $1.4 billion in USDT reserves were lent on Aave.
On-chain analyst EmberCN also noted that wallets affiliated with the TRON founder actively withdrew USDT from the lending protocol after operations were suspended.
另外,他凌晨为了把存在 Aave 上的 1.74 万枚 ETH 取回,通过 Swap 把存款凭证 (aEthWETH) 直接卖成 ETH,损失了 310 枚 ETH ($72 万)。也就是折价了 1.8%。
— 余烬 (@EmberCN) April 21, 2026
然后把换回的这些 ETH 转存到了 Spark 上。https://t.co/NCZnNhezwY
PS:因为 Aave 目前还是暂停 WETH 的提款的,ETH 想从 Aave… https://t.co/HT9JouZ5C pic.twitter.com/4Q0FO2eAhB
“[…] the wallet conducted five transactions, withdrawing a total of $274 million in USDT and completely closing its position in stablecoins on the platform,” the expert noted.
Among other major players withdrawing funds from Aave were the MEXC exchange and investment firm Abraxas Capital.
Due to the KelpDAO exploiter borrowing over 82,600 $ETH ($195M) from #Aave using $RSETH as collateral, bad debt has appeared on #Aave.
— Lookonchain (@lookonchain) April 19, 2026
Many whales have withdrawn funds from #Aave, causing its TVL to drop from $26.396B to $20.114B — a decline of $6.28B.
Major withdrawals… pic.twitter.com/rhN28AMul9
It’s worth noting that in April, hackers also hacked the ENS gateway eth.limo and the cloud provider Vercel.