Arbitrum Freezes 30,766 ETH Worth $71.2M in Kelp Hack Probe, Sparking Decentralization Debate

Arbitrum's Security Council took emergency action to freeze 30,766 ETH (approximately $71.2 million) linked to the KelpDAO exploit. The move triggered intense debate within the crypto community about whether Layer 2 networks can truly claim to be decentralized.

«The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter's identity, and, at all times,…» — Arbitrum (@arbitrum), original post

According to the announcement, the council coordinated with law enforcement agencies that have information about the hacker's identity. The freeze did not affect other users or applications on the network. Stolen funds were moved to an interim frozen wallet, and the original address no longer has access. Only project governance can now move the assets, with legitimate owners set to receive their funds after coordination.

Why This Matters

The emergency freeze raises a fundamental question for the entire blockchain industry: where should the line between security and decentralization be drawn? When a council of 12 individuals can block tens of millions of dollars, users have legitimate concerns about how L2 solutions align with blockchain's core principles. Meanwhile, the Kelp incident exposed systemic DeFi risks — Aave's bad debt could reach hundreds of millions, and the platform's TVL already dropped by $6.28 billion as large players rushed to withdraw.

Decentralization Under Fire

Arbitrum's decision immediately divided the community. Many users questioned the network's decentralized credentials.

«so a council can just freeze 30k eth and we're still calling this decentralized?» — Sandy.ETH (@david_lee2085), original post

The situation also became fodder for memes. Nozomi posted «is it truly decentralised???» — original post.

Security Council member Griff Green responded to the criticism, acknowledging the difficulty of the decision.

«I'm a member of the Security Council & I can tell you we did not make this decision lightly, there were countless hours of debates, technical, practical, ethical and political. But all it takes for evil to triumph is for good men to do nothing, so today, we decided to do…» — Griff Green — griff.eth (@griffgreen), original post

Green clarified that the vote was not unanimous — nine out of 12 council members supported the freeze.

Aave's Bad Debt: Two Scenarios

Aave emerged as one of the primary casualties of the exploit. Lookonchain reported that the incident left a roughly $195 million hole in Aave's balance sheet. Risk management specialist LlamaRisk outlined two potential scenarios for how the bad debt could unfold.

«Update on rsETH incident: @LlamaRisk has published a report outlining the rsETH incident, the immediate actions taken, its impact on Aave, and potential paths forward. All service providers have been working to assess the two potential bad debt scenarios on the Aave protocol.…» — Aave (@aave), original post

Scenario 1: Losses are distributed among all rsETH holders across Ethereum mainnet and L2 networks. Under this scenario, Aave's deficit would be approximately $123.7 million, and rsETH could depreciate by 15% against ETH. LlamaRisk noted that wETH would «absorb the bulk in absolute terms but barely notice it relative to its reserve depth.» Aave's Umbrella safety model is designed to cover such losses — 18,922 aWETH (~$43.7 million) have already completed their cooldown phase.

Scenario 2: The entire shortfall concentrates on Layer 2 networks (Arbitrum, Mantle). In this case, bad debt would climb to $230.1 million. LlamaRisk pointed out that Aave's treasury holds approximately $181 million in reserves that could be deployed to cover potential losses.

Following the hack, large players began aggressively withdrawing from Aave, causing TVL to plummet from $26.396 billion to $20.114 billion — a $6.28 billion decline. Among those who pulled funds were exchange MEXC and investment firm Abraxas Capital.

Kelp Points Finger at LayerZero

Kelp released preliminary findings from its investigation, placing blame on LayerZero. LayerZero had previously stated the exploit resulted from Kelp's use of a 1/1 DVN configuration. Kelp countered that this configuration is documented in LayerZero's own documentation and serves as the default for any new OFT deployment. The protocol has been operating on LayerZero's infrastructure since January 2024. According to Kelp's developers, the standard DVN configuration was «approved as meeting requirements» when the protocol expanded to L2. LayerZero had not responded to these claims at the time of publication.

Justin Sun's Offer to the Hacker

TRON founder Justin Sun reached out directly to the Kelp hacker, proposing negotiations. He urged the attacker to name their price and enter a dialogue with KelpDAO's involvement, arguing that spending $300 million would be impossible anyway.

Sun's motivations remain unclear, but addresses tied to his HTX exchange had previously transferred hundreds of millions to Aave. According to Protos, as of December 2025, more than $1.4 billion in USDT reserves from the platform were deposited in Aave's lending pools.

On-chain analyst EmberCN noted that wallets affiliated with the TRON founder were actively withdrawing USDT from the lending protocol after operations were paused. One wallet executed five transactions totaling $274 million in USDT, completely closing out its stablecoin position on the platform.

Dragonfly partner Haseeb Qureshi expressed confidence that the current risks do not pose a systemic threat to DeFi. He argued that Aave and similar protocols have sufficient capital to absorb bad debts, recalling that DeFi has already survived the Terra collapse, broken auctions in 2020, and the stETH depeg in 2022 — emerging stronger each time.