This was not a standard freeze at the protocol or front-end level. In this case, the funds were stopped at the L2 infrastructure level, through an emergency intervention in Arbitrum’s bridge and message flow, a much rarer response than pausing a pool or market.

What happened step by step:

1. Part of the stolen funds ended up on Arbitrum.

A total of 30,766 ETH linked to the KelpDAO exploit was located on Arbitrum One. That equals roughly $71 million, or about 26% of the reported $292 million exploit.

2. This was not a typical app-level freeze.

Instead of freezing a specific DeFi protocol, the intervention happened at the network infrastructure layer, through Arbitrum’s bridge messaging system between Ethereum and Arbitrum.

3. The bridge Inbox logic was temporarily modified.

A special one-time override mechanism was added to the bridge path, making it possible to carry out a targeted technical action against the address holding the exploit-linked funds.

4. The ETH was moved into a frozen intermediary wallet.

The funds were not destroyed or removed from the chain. They were transferred into a separate frozen wallet, where they can no longer move freely through the normal flow.

5. The system was then returned to normal.

The change was one-time only: after the funds were secured, the bridge logic was restored to its standard state.

6. The ETH is now effectively locked.

Any future movement of the 30,766 ETH would require a separate governance decision, meaning this is not just a temporary pause but a controlled post-incident lock on the funds.