A monk carries water to drink,

Two monks carry water to drink,
Three monks have no water to drink.
┈➤AAVE compensation proposal has not been activated yet
The AAVE protocol or its client itself does not have any major security issues; it is mainly caused by the input of fake rsETH.
A few hours after the alert, AAVE froze the rsETH / wrsETH markets on V3 and V4. Maybe it could have handled it even faster?
Subsequently, AAVE launched the Umbrella module, with the Umbrella staker bearing part of the loss, while the remaining part of the loss is temporarily borne by deposit users.
The team has stated that it is “exploring ways to cover the gap,” and is collaborating with KelpDAO and Layerzero to investigate. For now, there is no proposal to use the treasury or protocol revenue to make up users’ losses.
┈➤The problem with Layerzero is that the DVN node was attacked
KelpDAO uses a single DVN node, and that DVN node is a Layerzero Labs DVN, not a KelpDAO self-built DVN.
This Layerzero Labs DVN was attacked; a fake message was sent to KelpDAO. The fake message claimed that UniChain had already destroyed 116,500 rsETH, and requested that 116,500 rsETH be minted on the Ethereum mainnet. However, UniChain did not destroy 116,500 rsETH.
Layerzero emphasized that it suggested too many DVNs to KelpDAO, but KelpDAO chose a single DVN configuration.
However, it still cannot be confirmed whether, if KelpDAO had chosen multiple DVNs, the multiple DVN nodes would all have been attacked as well.
Of course, only KelpDAO was attacked—which indeed points to problems within KelpDAO itself.
┈➤KelpDAO’s problem is over-trusting Layerzero
KelpDAO only used a single DVN, and it is the DVN node from Layerzero Labs—this is over-trusting the other party.
More importantly, when KelpDAO received the fake message from Layerzero, it did not verify whether the core message was genuine, nor did it verify on the UniChain chain whether 116,500 rsETH had really been destroyed; it then followed the fake message and minted 116,500 rsETH. This kind of over-trust in Layerzero is truly excessive.
This is why projects using a single DVN are not limited to KelpDAO—but only KelpDAO was attacked.
KelpDAO believes that the reason for the attack is that Layerzero’s default setup is a single DVN.
┈➤Written at the end
Defi has been attacked before; in the blockchain environment where code is law, exploiting various vulnerabilities is nothing new.
As the largest lending platform across the whole network, AAVE fell into a bad-debt situation, causing users to withdraw funds from various lending protocols, and even from other types of Defi protocols.
Since the event happened, the total value locked (TVL) across the entire network has decreased by $13.96 billion. In addition to AAVE, the TVL of the lending protocol Morpho has also decreased by 5.47%.
These negative signals were all expected. What truly shakes confidence in Defi is not being attacked, nor the decrease in TVL—but the project teams’ mutual finger-pointing during this attack event.
KelpDAO’s use of a single DVN node may not be the key issue. The key issue is that Layerzero is responsible for transmitting messages, and the KelpDAO protocol should verify the authenticity of the messages. At least, in its contracts, it should verify large cross-chain actions on the source chain.
Layerzero’s problem is not about whether it is a single node or multiple nodes; rather, it lies in the vulnerabilities and issues that exist throughout the entire process in which its DVN service was attacked.
Both sides are shifting responsibility to each other regarding the single-DVN-node issue, to reduce the proportion of their own responsibility in this attack.
Naturally, AAVE also does not want to be the first to initiate a compensation proposal, because it cannot define the proportion of responsibility it should bear.
In centralized platforms, there is no dispute that the centralized operator bears compensation.
However, in the Defi ecosystem on the “code is law” blockchain, no one is suitable—or able to clearly allocate responsibility among the three projects…
Compared with the time it takes for negative signals to spread, the cycle to define responsibility ratios and initiate compensation among the three projects may be even longer.
The most ideal scenario is to recover the stolen funds and return them to the affected users, but the probability of this is extremely low.
Even more worrying is that the three projects get stuck on the allocation of responsibilities and drag on without compensating users for a long time—this is what bee Brother Feng is most worried about: three monks have no water to drink. $AAVE