Solving the centralization problem is the direction of DeFi evolution

In recent days, there has been a lot of discussion online about the AAVE security incident.

The main process of the event is as follows:

The attacker exploited the verification mechanism of KelpDAO, forging cross-chain messages, which allowed the LayerZero cross-chain bridge to mint over 110,000 rsETH out of thin air on the mainnet, and then deposited these newly minted rsETH into Aave as collateral, borrowing approximately $236 million worth of WETH/ETH.

This operation directly led to a massive withdrawal of liquidity for WETH/ETH on Aave. As the security incident unfolded, a large amount of assets that were originally stored on Aave were withdrawn in bulk. This caused liquidity depletion to rapidly spread to almost all mainstream assets on Aave.

Even more seriously, this turmoil also spread to the Solana ecosystem, resulting in a significant tightening of liquidity for various lending protocols on Solana.

For a description of the entire incident, you can refer to the link at the end of the article.

There is no doubt that this incident has had a huge impact on the entire DeFi ecosystem, which is why various commentary articles about this matter have flooded the internet.

However, the vast majority of these articles, aside from merely venting emotions, have not clarified the key aspects of this incident, nor have they objectively assessed its impact. Many articles attributed all the problems to DeFi without analysis, even unfoundedly proclaiming that "decentralization is dead."

In reality, the core reason for this security incident is that KelpDAO's verification mechanism has significant security vulnerabilities in its design.

LayerZero provides a DVN (Distributed Verification Network) mechanism for various protocols to confirm messages during cross-chain operations. Since DVN is a distributed verifier, the protocols that call this verifier should configure this mechanism in a distributed manner—using multiple signatures to confirm a message.

However, KelpDAO only used a single signature to confirm messages.

This left a loophole for attackers—if the attacker compromised this one signature, they could confirm any message.

Another more typical scenario can help us better understand this issue:

Typically, large institutions (such as CEX exchanges) hold a significant amount of Bitcoin assets. For wallets storing these large amounts of Bitcoin, these institutions would use multi-signature wallets rather than single-signature wallets.

If only a single-signature wallet is used, as soon as its single signature is compromised, all the Bitcoin in the wallet is lost. However, with a multi-signature wallet, even if one or more signatures are compromised, as long as the multi-signature threshold is still intact, the Bitcoin in the wallet remains secure.

This is a basic understanding and common sense that any operator and designer with a slight awareness of security in the crypto ecosystem should possess.

However, the KelpDAO team lacked even this basic understanding—they precisely used a highly centralized design with a single signature, which led to this massive disaster.

This also proves that in the DeFi world, decentralized configuration must become the standard for every critical link to ensure the security of the entire mechanism.

Therefore, the claim that "decentralization is dead" is truly absurd.

Of course, Aave is not innocent in this incident. Its problem lies in not being vigilant about the potential risks posed by collateral assets in a timely manner.

In January 2025, there was a post on Aave's governance forum warning that KelpDAO's assets might be at risk. However, Aave remained indifferent to this.

In contrast, another similar protocol, Spark (originating from MakerDAO), promptly halted the collateralization of rsETH.

The vastly different actions of these two protocols regarding this security risk highlight the significant gap in their security risk management.

Spark's action reminds me of a past security incident involving MakerDAO.

In March 2023, due to the collapse of Silicon Valley Bank, the largest collateral asset for DAI, USDC, experienced a severe de-pegging, causing DAI's price to drop below $1 in a short period.

This was also a DeFi disaster caused by centralization issues. It exposed MakerDAO's insufficient defenses against centralization problems at that time.

However, since then, MakerDAO has embarked on a journey of rebirth, directly promoting the "Endgame Plan," accelerating its decentralization and asset diversification processes to prevent similar centralization risks from impacting the protocol.

This has led to the emergence of Spark, which has demonstrated stable performance in this incident.

MakerDAO's rebirth illustrates that when faced with such issues, it is even more crucial for all projects within the ecosystem to be doubly vigilant and preventive against centralization risks at every stage.

This is the only way to build a stronger and more resilient DeFi system from a long-term perspective.

MakerDAO has walked this path, and Aave, along with all other DeFi systems, must continue on this path.

The DeFi mechanism is not the cause of security incidents; rather, the subconscious centralization thinking and operations that actual operators have become accustomed to are the root of the problem.

Continuously combating centralization risks and continuously addressing centralization issues is the correct direction for DeFi evolution and the right method for DeFi to solve similar problems.

Reference link: https://x.com/lanhubiji/status/2045779703051460715