Original author: TechFlow TechFlow
Last week, KelpDAO was hacked and nearly $300 million was stolen, making it the biggest negative security incident in DeFi this year so far.
The stolen ETH is now scattered across multiple blockchains, with approximately 30,765 ETH remaining in an address on the Arbitrum blockchain, worth over $70 million.
I thought this story was over, but today a sequel has been released.
According to monitoring by on-chain security firm PeckShield, the money in the hacker's address on the Arbitrum chain was transferred out a few hours ago, but strangely, the money was transferred to a strange address that appears to be almost entirely zero, 0x00000...
At the time, everyone was speculating: Did the hacker put all the money into the black hole address and burn it? Or did he have a change of heart or get recruited?
Neither.
A few hours ago, an emergency action notice was posted on the Arbitrum official forum explaining the situation. The hacker's money was transferred by Arbitrum's security council.
Surprisingly, without knowing the hacker's address and private key, the Arbitrum council neither froze the hacker's money nor had the authority to transfer funds. Instead, it directly issued a transfer instruction "in the hacker's name."
The hacker was unaware of the incident, the private key was not leaked, and the on-chain records appear to be manipulated by the hacker himself.
The principle behind this operation is that all cross-chain messages between Arbitrum and Ethereum must pass through a bridge contract called Inbox. The Security Council used emergency privileges to temporarily upgrade this contract, adding a new function:
Cross-chain transactions can be initiated in the name of any wallet address, but the private key of that wallet is not required.
They then used this function to forge a message, with the sender being the hacker's wallet, containing the message "Transfer all my ETH to the frozen address." The Arbitrum chain received this and executed the request as usual, resulting in the bizarre scene shown in the on-chain transfer screenshot above.
After transferring the hacker's money, the contract was immediately downgraded back to the original version. The upgrade, forgery, transfer, and restoration were all completed in a single Ethereum transaction. Other users and applications were completely unaffected.
This operation was unprecedented in Arbitrum's history.
According to the forum announcement, the Security Council had previously confirmed the hackers' identities with law enforcement, pointing to the Lazarus Group in North Korea, the most active state-sponsored hacking group in the DeFi space this year. The Council conducted a technical assessment to ensure that it would not affect other users before taking action.
Since the hackers were in the wrong first, this tactic is somewhat like saying, "Don't blame us for being uncivilized." As for how to handle the frozen ETH, that will require a vote by Arbitrum's DAO governance body and coordination with law enforcement.
It's certainly good news to recover over 70 million yuan in stolen funds. However, the prerequisite for doing so is worth noting: with the signatures of 9 out of 12 members of the Security Council, all governance votes can be bypassed, allowing for zero-latency upgrades of any core contract on the chain.
Praise the results, worry about the ability?
Currently, the community's reaction to this matter is very divided.
Some people thought Arbitrum did a great job protecting assets at a critical moment, which actually increased their confidence in L2. Others asked a very direct question: If nine people can sign off on any asset in anyone's name, is that still decentralization?
In my opinion, the two sides are not actually talking about the same thing.
The former describes the outcome, the latter the capability. The outcome of this incident is certainly good; over 70 million dollars of stolen funds have been recovered. However, Arbitrum's demonstrated ability to modify contract functions through multisignature is neutral in itself; whether it can be used to track down hackers in this instance, and what it can be used for in the future, whether it can be used at all, and how it can be used, all ultimately depend on the committee's governance.
However, for most Arbitrum users, this discussion may not be as practical as another fact. Arbitrum is not unique; almost all mainstream L2 systems currently retain similar emergency upgrade permissions.
The chain you're using will most likely also have a similar security council with similar capabilities. This isn't a unique choice for Arbitrum; almost all L2 blockchains at this stage have this common design.
From another perspective, this offensive and defensive maneuver actually revealed a much larger picture.
The attacker was North Korea's Lazarus Group, which has been implicated in at least 18 DeFi attacks this year. Just three weeks ago, they stole $285 million from Drift Protocol using a completely different method.
On one hand, state-level hackers are constantly upgrading their attack methods; on the other hand, L2 servers are beginning to use their underlying privileges to fight back. The DeFi security war is moving from "post-incident freezing, on-chain announcements, and praying for white-hat intervention" to a new phase.
During a critical period, they created a master key to unlock the hacker's address, and then melted it down. Judging from this incident alone, their ability to handle hacker attacks isn't bad.
If we must elevate this to a philosophical discussion of "not being decentralized at all," then there's much to say. The crypto industry has a history of centralized practices; at least this time they're dealing with a negative event and resolving the problem, rather than creating one.
Looking at it realistically, KelpDAO lost $292 million, and only recovered a little over $70 million, less than a quarter of the total. The remaining ETH is scattered across other blockchains, and the more than $100 million in bad debts on Aave is still unresolved. How much rsETH holders will get back remains unknown.
Even if Arbitrum used God's authority, this battle is clearly far from over.
