Curve founder Michael Egorov is calling for industry-wide security standards in decentralized finance after a string of avoidable attacks exposed how hidden centralized choke points can defeat ostensibly decentralized systems. He says teams should eliminate single points of failure in design instead of relying on post-incident remedies, and urged the sector to share practical defenses to prevent repeat failures.
Egorov’s appeal came in the wake of the KelpDAO rsETH exploit, where an attacker forged a cross-chain message to withdraw about 116,500 rsETH—roughly $292 million at the time—and then used those tokens as collateral on Aave. Because DeFi protocols compose with one another, the stolen assets magnified stress across the ecosystem: users pulled more than $10 billion from Aave in a rush to exit, prompting Aave to freeze rsETH markets on both V3 and V4 to limit further damage.
Industry trackers put losses tied to the Kelp incident at about $293 million, and at least nine connected projects paused or restricted rsETH activity. Arbitrum’s security council later recovered roughly 30,766 ETH linked to the attacker. LayerZero, which provided KelpDAO’s messaging layer, said the breach was enabled because Kelp operated a single 1-of-1 DVN verifier without redundancy—an archetypal single point of failure.
Egorov highlighted that bridges, cross-chain verifiers, oracles, governance multisigs and admin keys are frequent but often hidden centralized dependencies. Even when lending markets or AMMs are formally decentralized and audited, those ancillary controls can create an outsized blast radius when compromised. He pointed to prior cross-chain and bridge incidents as evidence that architectural choices determine how far damage spreads.
To address this, Egorov is asking projects, auditors and risk teams to collaborate on concrete, shareable best practices: robust cross-chain verifier setups, sensible rate limits, multisig policies that avoid single-person control, and well-tested emergency kill switches. He proposes turning those practices into a common DeFi security playbook that applies across chains.
Egorov suggested that ecosystem stewards such as the Ethereum Foundation and Solana Foundation could help convene the work. He framed foundation-backed guidance not as formal regulation but as a widely accepted rulebook that would raise the bar and make it harder for teams to ship architectures with obvious centralized choke points.
Observers warn that repeated high-profile failures like the rsETH exploit and the ensuing stress on Aave risk entrenching a damaging narrative: that DeFi too often reintroduces opaque single points of failure and therefore cannot reliably deliver on its promise as an alternative to fragile traditional finance rails. Egorov and others argue that practical, shared standards could reduce that risk and help the industry scale with greater safety and credibility.