Curve founder Michael Egorov is urging industry-wide DeFi security standards after a series of “avoidable” exploits highlighted how centralized chokepoints can undermine supposedly decentralized systems.
Egorov said many recent hacks stem from centralized single points of failure and called on teams to design out those choke points rather than rely on remedies after losses. In a public thread he argued the frequency of preventable incidents is harming the whole industry and stressed DeFi’s potential as the future global financial system.
His comments followed the KelpDAO rsETH exploit, in which an attacker forged a cross-chain message to drain about 116,500 rsETH—roughly $292 million at the time—and then used the stolen tokens on Aave as collateral. That move amplified the impact through DeFi composability, triggering more than $10 billion in outflows from Aave as users rushed to withdraw. Aave froze rsETH markets on V3 and V4 to contain risk. Industry trackers estimate Kelp-related losses at about $293 million, with nine connected protocols halting or restricting rsETH activity. Arbitrum’s security council later seized roughly 30,766 ETH tied to the attacker.
LayerZero, which supplied KelpDAO’s messaging layer, said the breach was possible because Kelp ran a single 1-of-1 DVN verifier with no backup—a textbook single point of failure. Egorov pointed to bridges, oracles, governance multisigs and admin keys as common hidden centralized dependencies, even when lending or AMM contracts are formally decentralized and audited. He cited prior bridge and liquidity exploits, including cross-chain attacks, to show how design choices determine an incident’s blast radius and that some projects are rebuilding centralized weaknesses rather than eliminating them.
Egorov wants projects, auditors and risk teams to share concrete best practices on cross-chain verifiers, rate limits, multisig policies and kill-switch designs, then jointly establish DeFi security standards applicable across chains. He suggested the Ethereum Foundation and Solana Foundation help convene this work, arguing foundation-backed guidelines—while not formal regulation—could serve as a common rulebook and make it harder to ship architectures with obvious centralized choke points.
Observers warn repeated failures like the rsETH exploit and Aave’s stress risk entrenching a perception that DeFi repeatedly reintroduces single points of failure, undermining its core promise as an alternative to opaque, fragile traditional finance rails.