Curve founder Michael Egorov is pushing for chain-wide DeFi security standards after the Kelp rsETH exploit exposed how “centralized” chokepoints can still wreck supposedly decentralized systems.
Summary
- Curve’s Michael Egorov says many DeFi hacks stem from avoidable centralized weak points.
- He cites the KelpDAO rsETH exploit and Aave’s response as a systemic warning.
- Egorov wants Ethereum and Solana foundations to help lead common security standards.
Curve founder Michael Egorov has called for industry-wide DeFi security standards after what he describes as a wave of “avoidable” exploits driven by centralized single points of failure across supposedly decentralized stacks.
In a detailed thread, Egorov argued that “a large number of avoidable security incidents in DeFi stem from centralized single points of failure, which are harming the entire industry,” urging teams to design out those choke points rather than try to “remedy” losses after the fact.
His comments follow the KelpDAO rsETH exploit, where an attacker drained around 116,500 rsETH—worth roughly $292 million at the time—by forging a cross-chain message and then pushed the stolen tokens into Aave as collateral, amplifying the damage through DeFi’s composability.
According to LayerZero, which provided KelpDAO’s messaging layer, the breach was possible because Kelp ran a single 1-of-1 DVN verifier with no backup, creating exactly the kind of single point of failure Egorov says should not exist in modern DeFi infrastructure.
Once the forged message passed, the attacker used rsETH on Aave V3 to borrow large amounts of wrapped ether, triggering more than $10 billion in outflows from Aave as users rushed to withdraw, while the protocol froze rsETH markets on V3 and V4 to contain risk.
Industry trackers estimate the broader Kelp-related losses at around $293 million, with nine connected protocols halting or restricting rsETH activity and Arbitrum’s security council later seizing about 30,766 ETH tied to the attacker.
Egorov said the episode illustrates how “bridges, oracles, governance multisigs and admin keys” can become hidden centralized dependencies, even when base lending or AMM contracts remain formally decentralized and audited.
He also pointed to earlier bridge and liquidity exploits, including cross-chain attacks on protocols such as CrossCurve—which works with Curve Finance and touts a multi-validator design to reduce single points of failure—as examples of how design choices directly shape blast radius when something breaks.
Egorov wants projects, auditors and risk teams to share concrete best practices on everything from cross-chain verifiers and rate limits to multisig policies and kill switches, then “jointly establish DeFi security standards” that can be applied across chains.
He suggested the Ethereum Foundation and Solana Foundation should help convene the work, arguing that foundation-backed guidelines—while not formal regulation—could act as a common rulebook and make it harder for teams to ship architectures with obvious centralized choke points.
As one commentator summarized in an industry report, repeated failures like the rsETH exploit and subsequent Aave stress risk cementing the perception that “instead of eliminating single points of failure, the industry keeps rebuilding them,” undermining DeFi’s core value proposition as an alternative to opaque, fragile TradFi rails.
