Legal briefing | |

DeFi exploits, on-chain interventions, and the private key: Recent developments in crypto-asset recovery

DeFi exploits, on-chain interventions, and the private key: Recent developments in crypto-asset recovery

Overview

We recently saw two of the largest DeFi exploits of 2026 within just 18 days: the approximately US$285 million breach of the Drift Protocol on Solana on 1 April[1] and the approximately US$292 million exploit from Kelp DAO on 18 April[2]. While the attack methods differed, a common theme was that neither were "hacks" in the straightforward sense of exploits of computer code; rather each attack exploited points of weakness within the governance structures around each DeFi application.  

DeFi – short for "Decentralised Finance", it describes financial services and applications built on permissionless blockchain networks, in contrast to "TradFi" ("Traditional Finance") based on centralised intermediaries and legacy systems.  Key characteristics of DeFi include permissionless access, disintermediation, transparency and reliance on smart-contracts in place of legal obligations.  See our previous article on smart-contracts.

That said, the focus of this article is on one of the key developments in the aftermath of the Kelp exploit.  As part of the recovery efforts, the Security Council for Arbitrum, a Layer-2 network built on top of Ethereum, took the surprising and perhaps controversial decision to freeze and move approximately 30,766 ETH of traceable proceeds of the attack without the attackers' private keys[3].

This article examines the background facts, recovery efforts (with a particular focus on Kelp), the mechanics of the Arbitrum intervention, the implications for the popular mantra "not your keys, not your coins", and the broader ramifications for crypto-asset enforcement and recovery.

A Layer-2 network is a secondary blockchain or protocol constructed on top of a base Layer-1 blockchain. Its primary purpose is to enhance scalability, accelerate transaction processing, and lower "gas" fees, while inheriting the security and decentralization of the underlying Layer-1 chain. Layer-2 solutions achieve this by processing transactions off the main chain—often through batching—and periodically submitting compressed data or cryptographic proofs back to Layer-1 for final inclusion in the blockchain's records.

  1. Anatomy of two DeFi exploits
  2. Recovery plans
  3. The Arbitrum intervention
  4. Implications for "not your keys, not your coins"
  5. What it means for crypto-asset enforcement and recovery

Now Reading

Anatomy of two DeFi exploits

The Drift Protocol

On 1 April 2026, the Drift Protocol, Solana's leading decentralised perpetual futures exchange, saw approximately US$285 million of crypto-assets drained from its vaults in twelve minutes. The root cause was not a smart-contract vulnerability but a sophisticated and targeted social engineering plot.  The attackers posed as a quantitative trading firm, met Drift contributors in person at conferences across multiple jurisdictions, and even deposited over US$1 million of their own capital to build trust.  Through various steps[4], they effectively obtained the DeFi equivalent of a pre-signed, "blank cheque"[5] from the Drift Protocol's Security Council, who had the administrative rights under the smart-contract code and protocol to do this. 

With administrative privileges secured, the attackers introduced a worthless “CarbonVote Token” (CVT), artificially inflated its oracle price through manipulated liquidity and wash-trading on Raydium, listed it as collateral on Drift, removed withdrawal limits, and executed 31 rapid withdrawals of real assets (USDC, SOL, JLP, WBTC and others). The entire drain collapsed Drift’s total value locked (TVL) from approximately $550 million to under $300 million. Misappropriated assets were quickly bridged to Ethereum and laundered, triggering contagion spreading across more than twenty Solana protocols.

Kelp DAO

Less than three weeks later, on 18 April 2026, Kelp DAO's rsETH (re-staked ETH) cross-chain bridge was exploited for 116,500 of unbacked rsETH, worth approximately US$292 million. Staked ETH (stETH) is a liquid token representing ETH that is staked (and therefore locked), so that it can be used as, for example, collateral. Re-staked ETH is the equivalent liquid token for staked ETH. rsETH's cross-chain liquidity relied on LayerZero’s messaging protocol, whose security depended on a Decentralised Verifier Network ("DVN") of nodes attesting to inbound messages. The protocol for rsETH had been configured with a single-DVN setup (that is, only one verifier required to verify and attest to the validity of messages), which created a single point of failure.

A cross-chain bridge is a protocol that enables the transfer of crypto-assets between two or more independent blockchain networks. Bridges allow users to move crypto-assets from one chain to another—or, more precisely, their underlying value—typically through mechanisms such as locking assets on the source chain and minting equivalent representations on the destination chain. While these solutions play a vital role in facilitating interoperability across otherwise siloed blockchain systems, thereby enhancing blockchain utility and liquidity, they can be the target of exploits, as demonstrated by the Kelp attack.

Staking is the process by which participants lock (or "stake") their crypto-assets in a Proof-of-Stake (PoS) blockchain protocol (such as Ethereum) to help secure the network. By committing capital as collateral, stakers become validators or delegate to validators, who propose and validate new blocks, maintain consensus, and finalise transactions. This mechanism secures the network economically: validators have skin in the game, so malicious actions (such as double-signing or prolonged downtime) can result in the slashing of their staked tokens. In return, participants typically earn staking rewards in the form of newly issued tokens or transaction fees.

In short[6], the attackers successfully obtained a single verification for a fake cross-chain message to say that there were sufficient backing assets (i.e. stETH) on the other chain to obtain the rsETH (roughly 18% of circulating supply) in question.  The misappropriated rsETH was then deposited as collateral on Aave V3 (and other DeFi lending protocols, including Compound and Euler), enabling the attackers to borrow approximately US$236 million in real Wrapped ETH[7], which were now "backed" by the tainted rsETH obtained through the attack.

Both exploits underscored recurring themes: privileged-access compromise (administrative rights in Drift; verifier infrastructure in Kelp) and the fragility of cross-chain messaging protocols. Neither was a classic smart-contract vulnerability; both exploited human and operational layers around the smart-contract code.

Recovery plans

As at the time of writing (end of April 2026), the immediate focus and response have been to create recovery funds.  In relation to Drift, on 16 April 2026, Tether announced a US$127.5 million commitment (as part of a broader package) to fund a revenue-linked recovery pool, under which impacted users are to receive transferable recovery tokens representing a claim against the pool[8].

In response to Kelp, leading DeFi participants have coalesced around the "DeFi United"[9] relief fund, which had already secured over US$300 million by 30 April 2026, with significant contributions from Mantle and the Aave DAO (approximately 55,000 ETH in total), together with personal contributions from Aave founder Stani Kulechov, Lido, Ether.fi, Ethena, and over a dozen other prominent protocols.

Notably, however, a portion of the proceeds of the Kelp exploit—30,766 ETH worth approximately US$71 million—was bridged to Arbitrum. 

The Arbitrum intervention

On 21 April 2026, the Arbitrum Security Council[10] executed an upgrade of the Layer-1 Ethereum contract governing Arbitrum’s Inbox[11]. The upgrade added a temporary function, which imitated the structure of a standard transaction with the ability to impersonate the transaction sender, without signing the transaction with the private key. Once this transaction was executed to move the tokens from the attacker's address to an Arbitrum DAO[12]-governed address, the upgrade was immediately reverted in the same atomic transaction. The entire sequence occurred in one Ethereum block with no Layer-2 downtime, no chain split, and no user notice beyond on-chain observation[13].

Simply put: the ETH in the attacker-controlled address was moved without the use of the private key.

A member of the Arbitrum Security Council stated that it acted after "countless hours of debates, technical, practical, ethical and political" deliberation, with input from law enforcement[14]. The funds are now held in an address accessible only through further Arbitrum DAO governance action.  A "Constitutional Arbitrum Improvement Proposal" has been put forward by Aave Labs, KelpDAO, LayerZero, EtherFi and Compound regarding how those funds should be used[15]

An atomic transaction is a sequence of operations on a blockchain that executes as a single, indivisible unit.  The transaction must either execute in its entirety or not at all. Should any single component of the transaction fail, the protocol automatically reverts the ledger to its prior state, ensuring no partial or incomplete exchange is recorded. Such a transaction can be used, for example, to reduce, or even eliminate, settlement risk in a financial transaction.

Implications for "not your keys, not your coins"

The phrase "not your keys, not your coins" has long encapsulated the cypherpunk ideal of self-custody of crypto-assets and protocol-level immutability of blockchains. For this reason, terms such as "sovereign" and "bearer" are used by many to describe the essential nature of crypto-assets.  However, the Arbitrum intervention is arguably the latest challenge to those ideals, for better or for worse.

The seized assets were held in an externally owned account on Arbitrum—technically under the attacker’s private-key control—yet they were moved without that key. The power to do so derived not from the private keys but from Arbitrum's mutable governance structure, enforced through smart-contracts deployed on Ethereum.

The standard "playbook" so far in relation to crypto-asset recovery, certainly in the English courts but no doubt replicated elsewhere too, has been to trace misappropriated assets on-chain and to intercept them at the point at which they enter a custodial wallet controlled by a third-party, such as a crypto exchange or a custodian. However, as we previously wrote in "The endgame: issues in enforcement against cryptoassets" (2022) 8 JIBFL 545 (https://www.traverssmith.com/knowledge/knowledge-container/the-endgame-issues-in-enforcement-against-cryptoassets/ ), where victims are not so lucky and assets remain in non-custodial wallets, the hard challenge for victims of crypto fraud is enforcement and recovery without the private key.

Tulip Trading[16] (on which we acted) was probably the most ambitious case before the English courts in seeking vindication of a party's proprietary rights in crypto-assets.  The claimant there sought to establish that Bitcoin Core developers owed fiduciary and/or tortious duties of care to owners of inaccessible or stolen Bitcoin, due to their (allegedly) exercising a sufficient degree of control over the network's code and protocol. As the Court of Appeal ruled (at a summary stage, ruling only on whether there was a "serious issue to be tried"), it ultimately comes down to the question of how much control someone exerts over a given protocol or code.  Arguably, Bitcoin is the most "decentralised" of all blockchains, with no active founder(s) currently involved with the project. While it is technically possible to change even Bitcoin's code and/or protocol, there are practical challenges and high costs – not only financial but, perhaps more importantly, social costs – of doing so. 

There is a precedent on this topic in relation to Ethereum. An exploit of a vulnerability in the code of "The DAO" (a decentralised venture capital fund on Ethereum) in June 2016 resulted in the draining of approximately 3.6 million ETH (then worth approximately US$50–60 million, or one-third of the fund’s capital).  Rather than accepting the immutable "code is law" outcome, an irregular state change to re-write the blockchain history to transfer the misappropriated funds – again, without the private key – was proposed. This led to a hard-fork in which some participants accepted this proposal whilst others rejected it. It is, however, interesting to note that the fork that accepted the forced transfer is what is today still called and commonly recognised as Ethereum, while the fork favoured by the "purists" was named Ethereum Classic, which has not had the same following and adoption as the former[17].

However, if transfer without a private key at the level of a Layer-1 blockchain is too controversial, then we also had a precedent at the smart-contract level with the recovery from Oasis. Following the US$320 million Wormhole bridge hack in February 2022, an affiliate of Jump Crypto obtained an English High Court order to the effect that Oazo Apps Ltd, which was the company behind Oasis, a DeFi application, use a known vulnerability in the smart-contract code to transfer - without the private key - misappropriated assets deposited in the platform "vaults"[18].  We understand from publicly available sources that this ability to move assets without the private key was not by design. Nonetheless, the fact of that ability by Oazo meant that recovery was possible through a court order.

In the case of Arbitrum, however, it seems that the Security Council's power to, for example, transfer assets without the private key, was part of its governance design. However, users and market participants may not have known this and may now be surprised by it.  Whilst centralised smart-contract applications such as stablecoins might well be expected to retain a power to mint, burn, freeze and move coins without private keys, and Oasis showed that even DeFi applications may have some such ability, Layer-2s may be seen more as "infrastructure" and closer to Layer 1 blockchains, which makes the recent Arbitrum intervention all the more surprising.

What it means for crypto-asset enforcement and recovery

The Arbitrum intervention represents a significant development in the evolution of crypto-asset enforcement and recovery. 

Where assets land on Layer-2 networks with active governance mechanisms that enable changing their underlying smart-contract code, recovery from an address may now be possible without a private key. In addition to self-governing actions taken by on-chain participants, courts may also make orders against those who participate in governance to return assets on-chain to victims/rightful owners. 

What Oasis, and now Arbitrum, have demonstrated is a blurring of the boundaries between "custodial" and "non-custodial" wallets. Arguably, upgradeable smart-contracts – whether implementing a specific application or a Layer-2 network – may create, in reality, an intermediary layer, provided there is sufficient control.

This has potential ramifications for claimants seeking to recover crypto-assets. It is now important not only to map assets by chain but also by governance models, e.g. Layer-1 versus Layer-2 versus smart-contract applications.

Whilst this may bring hope to victims of crypto-asset fraud, the blurred picture -  a result of the non-standard governance models adopted by certain DeFi protocols and Layer-2 networks – does create legal uncertainty and risks of disputes.  As was the case in Tulip Trading, the precise detailed governance structure and level of control exerted in each case will be central to the question of whether those involved in the governance of those networks and applications can or ought to be subject to legal duties (for example, fiduciary, tortious or even contractual duties) and court orders.  In this regard, nomenclature such as a "DAO" will not be conclusive.  Conversely, if governance structures take remedial action prior to any legal ruling, and do so more frequently than just in relation to sizeable attacks, there arises a risk of conflicting claims by innocent parties. For example, assets may have been mistakenly traced to an innocent third-party's address.  If they are appropriated by governance mechanisms, such a party may have a complaint against the transferee (who may be the original victim) and, potentially, against the governance bodies. 

As ever with crypto, we are in a fast-moving world.  Today, we seem far away from the ideal of "Code is Law".  As we previously wrote in "Smart contracts and the limits of the 'rule of code'" (2022) 10 JIBFL 692 (https://www.traverssmith.com/knowledge/knowledge-container/smart-contracts-and-the-limits-of-the-rule-of-code/), even where parties – that is, DeFi protocols and users thereof - seek to rely solely on irrevocable, self-executing code as constituting and defining the contract between them, it is unlikely that such a smart contract would be the end of the matter so far as their respective legal rights and obligations are concerned. Furthermore, it is interesting to see that even DeFi protocols, such as Drift[19] and Aave[20], now include "legal wrappers" by way of terms and conditions of use, with choice of law and jurisdiction/arbitration clauses.

All of this points to an interesting period ahead where we are likely to see more frequent collisions between DeFi and other decentralised blockchain protocols, applications and networks, on one hand, and the legal system, on the other. 

Developments in relation to the two attacks and this area of law remain fast-moving. This briefing reflects the position as at 30 April 2026.

Get in touch

Read John Lee Profile
John Lee

Meet the team

Read Jonathan Gilmour Profile
Jonathan Gilmour
Read Natalie Lewis Profile
Natalie Lewis

[1] https://www.chainalysis.com/blog/lessons-from-the-drift-hack/
[2] https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/
[3] https://x.com/arbitrum/status/2046435443680346189?ct=rw-null
[4] https://www.chainalysis.com/blog/lessons-from-the-drift-hack/
[5] Pre-signed durable nonce transactions, and a zero-timelock governance.
[6] See here for a more detailed explanation: https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/
[7] Wrapped Ethereum (WETH) is an ERC-20 compliant token that represents Ethereum's native token (ETH) at a 1:1 ratio. It allows ETH to be used in DeFi apps, which often require the ERC-20 standard. ERC-20 (Ethereum Request for Comments 20) is the standard technical protocol for creating and issuing fungible tokens on the Ethereum blockchain.
[8] https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now
[9] https://defiunited.world/ (accessed 30 April 2026)
[10] Acting through a 9-of-12 multisig set up, meaning that 9 of 12 keys are sufficient to approve a transaction.
[11] The smart-contract that lives on Ethereum (Layer 1) and serves as the entry point for sending messages and transactions from Ethereum to the Arbitrum (Layer-2) network.
[12] Decentralised Autonomous Organisation: see the Law Commission Consultation page: https://lawcom.gov.uk/project/decentralised-autonomous-organisations-daos/
[13] https://forum.arbitrum.foundation/t/security-council-emergency-action-21-04-2026/30803
[14] https://x.com/griffgreen/status/2046446942494802274?s=20
[15] https://forum.arbitrum.foundation/t/constitutional-aip-approve-release-of-frozen-eth/30825
[16]  Tulip Trading Limited v Van der Laan and others [2023] EWCA Civ 83 (https://www.judiciary.uk/wp-content/uploads/2023/02/Tulip-v-Van-Der-Laan-judgment-030223.pdf)
[17] https://www.gemini.com/cryptopedia/the-dao-hack-makerdao
[18] Tai Mo Shan Limited v Oazo Apps Limited (2023) (unreported). See: https://www.cfaar.io/insights/blog-high-court-orders-ethical-crypto-hack-tai-mo-shan-limited-v-oazo-apps-limited-2023-unreported/
[19] https://docs.drift.trade/protocol/legal-and-regulations/terms-of-use
[20] https://aave.com/terms-of-service

Our knowledge

Back To Top Back To Top chevron up