In recent days, the internet has been filled with heated discussions about the AAVE security incident.

The main process of the event is as follows:

The attacker exploited the verification mechanism of KelpDAO, forging cross-chain messages that allowed LayerZero's cross-chain bridge to mint over 110,000 rsETH out of thin air on the mainnet, and then deposited these newly minted rsETH into Aave as collateral, borrowing approximately $236 million in WETH/ETH.

This operation directly caused a massive liquidity withdrawal of WETH/ETH on Aave. Due to the fallout from this security incident, a significant amount of assets previously stored on Aave were withdrawn in bulk. This led to a rapid spread of liquidity exhaustion affecting nearly all mainstream assets on Aave.

More seriously, this incident also spilled over into the Solana ecosystem, causing significant liquidity issues for various lending protocols on Solana.

For a detailed description of the entire incident, please refer to the link at the end of this text.

There is no doubt that this incident has had a huge impact on the entire DeFi ecosystem, which is why a plethora of commentary articles have emerged online.

However, the vast majority of these articles, aside from merely expressing emotions, fail to clarify the key points of the incident and do not objectively assess its impact. Many articles attribute all issues uncritically to DeFi, even baselessly proclaiming the fallacy that "decentralization is dead."

In reality, the core reason for this security incident lies in the significant security vulnerabilities in the design of KelpDAO's verification mechanism.

LayerZero provides a mechanism for DVN (Distributed Verification Network) to confirm messages during cross-chain operations for various protocols. Since DVN is a distributed validator, the protocols calling this validator should configure this mechanism in a distributed manner—using multiple signatures to confirm a message.

However, KelpDAO only used a single signature to confirm messages.

This left a vulnerability for attackers—if an attacker compromises this single signature, they can confirm any message.

A more typical scenario can help us better understand this issue:

Generally, some large institutions (such as CEX exchanges, etc.) hold a substantial amount of Bitcoin assets. For the wallets that store these large amounts of Bitcoin, these institutions would use multi-signature wallets instead of single-signature wallets.

If only a single-signature wallet is used, once its single signature is compromised, all the Bitcoin in the wallet would be at risk. On the other hand, with a multi-signature wallet, even if one or more signatures are compromised, as long as the multi-signature threshold remains intact, the Bitcoin in the wallet remains secure.

This is a basic understanding and common sense that operators and designers with some security awareness in the crypto ecosystem should possess.

However, the KelpDAO team lacked even this basic understanding—they precisely used a highly centralized design of a single signature, which led to this tremendous disaster.

This also precisely proves that in the DeFi world, decentralized configuration must become a standard for every key link to ensure the security of the entire mechanism.

Therefore, the statement that "decentralization is dead" is indeed absurd.

Of course, Aave is not innocent in this incident. Its problem lies in its failure to promptly recognize the potential risks associated with collateral assets.

In January 2025, there was a post in Aave's governance forum warning that KelpDAO's assets might be at risk. However, Aave remained indifferent to it.

In contrast, another similar protocol, Spark (originating from MakerDAO), timely halted the collateralization of rsETH.

The starkly different responses of these two protocols to this security vulnerability reveal a significant gap in their security risk management.

Spark's action reminds me of a past security incident involving MakerDAO.

In March 2023, due to the collapse of Silicon Valley Bank, the biggest collateral asset of DAI, USDC, became severely unpegged, causing DAI's price to drop below $1 in a short period.

This was also a DeFi disaster caused by centralization issues. It exposed MakerDAO's insufficient defenses against centralization problems at that time.

However, since then, MakerDAO has embarked on a path of rebirth, directly driving the "Endgame Plan," accelerating its decentralization and diversification of assets to prevent similar centralization risks from impacting the protocol.

This has led to the emergence of Spark today, and we have seen Spark's steady performance in this incident.

MakerDAO's rebirth illustrates that when faced with such issues, it is crucial for all projects within the ecosystem to be doubly vigilant against centralization risks and to take precautions.

This is the only way to build a stronger and more resilient DeFi system in the long term.

MakerDAO has come this far, and Aave, along with all other DeFi systems, must continue on this path.

The DeFi mechanism is not the cause of the security incidents; rather, the subconscious centralization thinking and operational practices of actual operators are the fundamental problems.

Continuously combating centralization risks and solving centralization issues is the correct direction for DeFi evolution and the right way for DeFi to address similar problems.

Reference link: https://x.com/lanhubiji/status/2045779703051460715

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。