Solving the centralization problem is the direction of DeFi's evolution

These days, there is widespread online discussion about the AAVE security incident.

The main process of the incident is as follows:

The attacker attacked KelpDAO’s verification mechanism by forging cross-chain messages, causing LayerZero’s cross-chain bridge to mint over 110k rsETH out of thin air on the mainnet, then depositing these artificially minted rsETH as collateral in Aave, and borrowing approximately $236 million worth of WETH/ETH.

This operation directly led to a massive withdrawal of liquidity from WETH/ETH on Aave. Due to the escalation of this security event, a large amount of assets stored on Aave were rapidly withdrawn in bulk. This caused liquidity exhaustion to quickly spread to almost all mainstream assets on Aave.

More seriously, this turmoil also spread to the Solana ecosystem, causing liquidity issues in various lending protocols on Solana.

Undoubtedly, this incident has dealt a huge blow to the entire DeFi ecosystem, and therefore a flood of commentary articles about the event has emerged online.

However, most of these articles, apart from venting emotions, did not clarify the key point of the incident, nor did they objectively assess its impact. Many articles attribute all problems to DeFi without analysis, even unjustifiably shouting the fall of decentralization.

In fact, the core reason behind this security incident is that KelpDAO’s verification mechanism has significant security vulnerabilities in its design.

LayerZero provides a DVN (Distributed Validation Network) mechanism for protocols to confirm messages during cross-chain operations. Since DVN is a distributed validator network, protocols calling this validator should configure this mechanism in a distributed manner—using multiple signatures to confirm a message.

But KelpDAO only used a single signature to confirm messages.

This left a vulnerability for attackers—once they compromised that single signature, they could confirm any message.

Another typical scenario helps us better understand this issue:

Usually, large institutions (such as CEX exchanges) hold large amounts of Bitcoin assets. For wallets storing these large Bitcoin holdings, these institutions typically use multi-signature wallets rather than single-signature wallets.

If only a single-signature wallet is used, once its signature is compromised, all the Bitcoin in that wallet is lost. Using multi-signature wallets, even if one or more signatures are compromised, as long as the multi-signature threshold remains, the Bitcoin in the wallet remains secure.

This is a basic understanding and common sense that security-conscious operators and designers in the crypto ecosystem should have.

However, the KelpDAO team lacked even this basic awareness—by choosing a single-signature, highly centralized design, they caused this huge disaster.

This also proves that in the DeFi world, decentralized configuration must become a standard in every critical link to ensure the overall mechanism’s security.

Therefore, the idea that “decentralization is dead” is simply absurd.

Of course, Aave is not innocent in this incident either. Its problem lies in: failing to promptly recognize the potential risks posed by collateral assets.

In January 2025, a post on Aave’s governance forum warned that KelpDAO’s assets might be risky. But Aave remained indifferent.

Another similar protocol, Spark (originating from MakerDAO), promptly stopped accepting rsETH as collateral.

The stark difference in their responses to this security risk highlights the huge gap in their security risk management.

Spark’s action reminded me of a past security incident involving MakerDAO.

In March 2023, due to the collapse of Silicon Valley Bank, the largest collateral asset of DAI, USDC, experienced a severe de-pegging, causing DAI’s price to briefly fall below $1.

This was also a DeFi disaster caused by centralization issues. It exposed MakerDAO’s insufficient defenses against centralization at that time.

Since then, MakerDAO embarked on a path of rebirth, directly launching the “Endgame Plan,” accelerating its decentralization and asset diversification efforts to prevent similar centralization risks from impacting the protocol.

This is how we see Spark today, and it also demonstrates Spark’s cautious performance during this incident.

MakerDAO’s rebirth precisely shows that encountering such problems makes it even more necessary for projects across the ecosystem to double down on centralization risk awareness and prevention.

Only in this way can a stronger, more resilient DeFi system be built in the long run.

MakerDAO has come this far, and Aave and all other DeFi systems must follow the same path.

DeFi mechanisms are not the cause of security incidents; it is the subconscious centralized thinking and operations of actual operators that are the root problem.

Continuously fighting centralization risks and solving centralization issues are the correct directions for DeFi’s evolution and the proper way to address similar problems.