Author: Deep Tide TechFlow

Last week, KelpDAO was hacked, losing nearly 300 million dollars, becoming the largest negative security incident in DeFi this year.

The stolen ETH is now scattered across multiple chains, with about 30,765 remaining in an address on the Arbitrum chain, valued at over 70 million dollars.

This story was thought to be over, but today a sequel emerged.

According to monitoring by the on-chain security organization PeckShield, funds from the hacker's address on the Arbitrum chain were transferred a few hours ago. However, strangely, this money was sent to a bizarre address that almost consisted entirely of zeros, 0x00000...

Everyone was guessing, did the hacker destroy the money by sending it to a black hole address themselves? Or did they have a change of heart or were they coerced?

Neither.

A few hours ago, the Arbitrum official forum posted an urgent action announcement explaining the situation. The hacker's funds were moved by Arbitrum's security council.

However, remarkably, without knowing the hacker's address private key, the Arbitrum council neither froze the hacker's funds nor had the authority to transfer them. Instead, they directly issued a transfer instruction "in the name of the hacker".

The hacker was unaware, the private key was not leaked, and the on-chain record looked like it was performed by the hacker themselves.

The principle behind this operation is that all cross-chain messages between Arbitrum and Ethereum must go through a bridge contract called Inbox. The security council utilized emergency authority to temporarily upgrade this contract, adding a new function:

Issue cross-chain transactions in the name of any wallet address, but without needing the private key of that wallet.

They then used this function to spoof a message, with the sender being the hacker's wallet, and the content being "Transfer all my ETH to the frozen address". Upon receiving this, the Arbitrum chain executed it as usual, leading to the bizarre scene shown in the screenshot of on-chain transfers above.

After transferring the hacker's funds, the contract was immediately downgraded back to its original version. The upgrade, spoofing, transfer, and restoration were all completed in a single Ethereum transaction. Other users and applications were not affected at all.

This operation has no precedent in Arbitrum's history.

According to the forum announcement, the security council had confirmed the hacker's identity in advance with law enforcement, pointing to North Korea's Lazarus Group, the most active state-sponsored hacking organization in the DeFi space this year. The council performed a technical assessment to ensure it wouldn't affect other users before acting.

Since the hacker's wrongdoing was established, this move has somewhat the meaning of “don’t blame everyone for lacking martial virtue.” As for how to handle the frozen ETH afterward, it will go through Arbitrum's DAO governance vote, coordinating with law enforcement.

Recovering over 70 million dollars of stolen funds is certainly a good thing. However, it’s worth noting that the prerequisite for accomplishing this was that 9 out of the 12 members of the security council could bypass all governance votes and upgrade any core contract on-chain with zero delay.

Praise the result, worry about the capability?

Currently, the community's reaction to this matter is very divided.

Some people think Arbitrum did a great job, protecting assets at a critical moment, and instead gaining some confidence in L2. Others posed a very direct question: If 9 people’s signatures can move any assets in anyone’s name, is this still decentralized?

The author believes that both sides are actually not discussing the same issue.

The former is talking about the outcome, while the latter is discussing the capability. The outcome of this matter is certainly positive, over 70 million of the stolen funds have been recovered. But the ability demonstrated by Arbitrum in altering contract functions through multi-signature is neutral; whether this ability is used to chase hackers, what else it can be used for, and how it might be used actually depends on the governance of the council.

However, for most people using Arbitrum, this discussion might not be as practical as another fact. Arbitrum is not special; currently, almost all mainstream L2s retain similar emergency upgrade permissions.

The chain you are using likely also has a similar security council that possesses similar capabilities. This is not a unique choice of Arbitrum; at this stage, L2s generally have this common design.

From another perspective, this incident actually exposed a larger picture.

The attacker is North Korea's Lazarus Group, which has been attributed to at least 18 DeFi attacks since this year. Just three weeks ago, they stole 285 million dollars from Drift Protocol, employing a completely different method.

On one side, there are state-sponsored hackers continually escalating their attack methods, while on the other side, L2s are beginning to utilize underlying permissions to retaliate. The security war in DeFi is shifting from "post-event freezing, shouting on-chain, praying for white hats to intervene" to a new phase.

In a time of crisis, a master key was created to unlock the hacker's address, and once the job was done, the key was melted down. Just based on this incident, having the capability to respond to hacker attacks is not a bad thing.

And if one must elevate this to a philosophical discussion about "not being decentralized at all," there is so much more that could be said. There are numerous centralized operations in the crypto industry; this time, at least, it was about addressing a negative event and solving a problem, rather than creating negative events.

Looking back pragmatically, KelpDAO was stolen 292 million, and 70 million has been recovered, which is less than a quarter of the total. The remaining ETH is still scattered across other chains, over 100 million dollars in bad debts on Aave are still unsettled, and how much rsETH holders can recover is still unknown.

Even though Arbitrum utilized god mode, this battle is clearly far from over.