Futures
Access hundreds of perpetual contracts
TradFi
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
The future of DeFi is not single nodes or single signer setups.
What we’re experiencing now is a lack of better security practices, which doesn’t matter 364 of 365 days of the year, until it does matter. A lot.
In this particular incident, you have basic security mismanagement that has been confirmed by sources close to the matter:
1.) It was an official LayerZero DVN that was attacked with very poor security practices.
2.) Applying these practices to a 1/1 DVN under centralized internal control which was exploited.
There was centralization risk on the amount of nodes (in this case, just one) and likely the way the DVNs were accessing the chain (through one or two RPCs).
Kelp relied solely on the LayerZero DVN. This is extremely irresponsible from a team with $1.5B in user funds under management. Unacceptable.
There are dozens more single DVNs out there that are still running with the same setup. For the 2/2 or 2/3 DVNs, its unknown how many of these are controlled by LZ themselves
Security researchers who have done diligence onchain close to this matter suggest that LayerZero runs a lot of these DVNs themselves. The official LZ DVN is setup as a 2/3 but all ran internally. So in the KelpDAO exploit, you had a single entity attack vector: LZ themselves.
There is a pattern of behavior that creates risk across all of the entire DeFi system, not just the LZ system. It’s all the tokenholders, issuers, and lending protocols that are now suffering from the design choices.
We've seen it time and time again.
These risks are completely unacceptable in bigger financial markets onchain and really sets us back in terms of adoption.
It also sets us back entirely as an industry built on the "don't trust, verify" mentality.
Misrepresentation of what your infrastructure is thus creating a massive web of risk around single node, single signer architectures across all of DeFi is a massive blow to what everyone is trying to achieve here.
We can do better. People need to be more informed about the risks they are taking. We need to be more rigorous about what we're calling decentralized.
Risk frameworks are coming to DeFi. Something has to change.