A monk carries water to drink,
Two monks carry water to drink,
Three monks have no water to drink.

┈➤AAVE has not yet launched the compensation proposal.

There are no major security issues with the AAVE protocol or client itself, mainly caused by the input of fake rsETH.

AAVE froze the rsETH/wrsETH markets on V3 and V4 a few hours after the alert. Perhaps it could have been handled a bit faster?

Subsequently, AAVE launched the Umbrella module, with Umbrella stakers taking on part of the losses, while another part of the losses is temporarily borne by deposit users.

The team has stated "exploring ways to cover the gaps" and is collaborating with KelpDAO and LayerZero for investigation. No proposal has been initiated to use the treasury or protocol revenue to compensate user losses for now.

┈➤The issue with Layerzero is that the DVN node was attacked

KelpDAO uses a single DVN node, and this DVN node is from Layerzero Labs, not built by KelpDAO.

This DVN from LayerZero Labs was attacked and sent a false message to KelpDAO, claiming that 116,500 rsETH had been destroyed on UniChain, requesting to mint 116,500 rsETH on the Ethereum mainnet. However, UniChain did not destroy 116,500 rsETH.

LayerZero emphasizes that it suggested KelpDAO to use multiple DVNs, but KelpDAO chose a single DVN configuration.

However, it cannot be determined whether multiple DVN nodes would be attacked if KelpDAO had chosen multiple DVNs.

Of course, only KelpDAO was attacked, which indeed is because KelpDAO itself also has issues.

┈➤The problem with KelpDAO is excessive trust in LayerZero

KelpDAO only used a single DVN, which is the DVN node from LayerZero Labs, showing excessive trust in the other party.

More importantly, when KelpDAO received the false message from LayerZero, it did not verify the truth of the core message, nor did it check on the UniChain whether 116,500 rsETH had really been destroyed, and based on the false message, it minted 116,500 rsETH. This is indeed excessive trust in LayerZero.

That is why projects using a single DVN are not only KelpDAO, but only KelpDAO was attacked.

KelpDAO believes the reason for the attack is that LayerZero defaults to a single DVN.

┈➤In conclusion

Defi being attacked is not the first time; in the blockchain environment where code is law, various vulnerabilities being exploited is not new.

AAVE, as the largest lending platform in the network, fell into a bad debt state, causing users to withdraw funds from various lending protocols and even other types of defi protocols.

Since the incident, the total value locked (TVL) in the network has decreased by $13.96 billion, and besides AAVE, the TVL of the lending protocol Morpho has also decreased by 5.47%.

These negative transmissions were also expected; what truly shakes the trust in Defi is not the attack itself nor the decrease in TVL, but the mutual blame among project parties in this attack incident.

KelpDAO's use of a single DVN node may not be the key issue; the key issue is that LayerZero is responsible for transmitting messages, and the KelpDAO protocol should verify the authenticity of the messages. At least in its contract, it should verify large cross-chain activities on the source chain.

The problem with LayerZero is not about single or multiple nodes, but the vulnerabilities and issues present throughout the process of its DVN service being attacked.

Both sides are shifting blame on the single DVN issue to reduce their responsibility in this attack incident.

Naturally, AAVE is also unwilling to initiate a compensation proposal first, as it cannot define the proportion of its responsibility.

In centralized platforms, it is undisputed that centralized operators bear the compensation.

However, in the "code is law" blockchain ecosystem of Defi, no one is suitable, nor can anyone clearly allocate the responsibilities among the three projects...

Compared to the time of negative transmission, the cycle for the three projects to define responsibility ratios and initiate compensation may be longer.

The ideal situation is to recover the stolen funds and return them to the affected users, but the probability of this happening is extremely low.

What is even more frightening is that the three projects are stuck on responsibility allocation, dragging on for a long time without compensating users, which is what Bee Brother is most worried about—three monks have no water to drink.