Curve Finance founder Michael Egorov is pressing the decentralized finance sector to adopt shared security standards, arguing that a lack of coordinated defenses is allowing preventable exploits to cascade across multiple platforms.
His comments come days after an April 18 attack on the KelpDAO LayerZero bridge enabled an attacker to mint 116,500 unbacked rsETH and inject it into Aave, putting the lending protocol at risk of up to $230.1 million in bad debt.
Aave and rsETH breach highlights systemic weakness
According to Egorov, the KelpDAO incident is a textbook example of the vulnerabilities he is warning about.
The attacker exploited a single point of failure in the bridge’s verification setup, not in Aave’s own smart contracts. The fake rsETH was then deposited on Aave as collateral, forcing Aave’s Guardian to freeze rsETH markets across all deployments to contain potential losses. New deposits and borrowing against rsETH were halted.
Risk estimates suggest Aave could face between $123.7 million and $230.1 million in bad debt exposure from the incident.
Egorov argued this illustrates how a compromised external asset can threaten otherwise robust protocols that integrate it, turning asset-level risk into systemic risk across the DeFi stack.
Rising 2026 losses and a shift in attack vectors
The KelpDAO exploit is part of a broader surge in DeFi attacks this year. By mid‑April 2026, total industry losses from hacks and exploits had already surpassed $750 million.
Two April events account for a large share of that amount:
- the KelpDAO rsETH bridge exploit tied to Aave’s potential bad debt
- a $285 million social engineering attack on Drift Protocol
These followed first‑quarter 2026 data showing more than $168.6 million in losses across 34 protocols, signaling a persistent pattern of successful attacks before the recent large‑scale breaches.
Egorov and other security analysts note a tactical shift by attackers. Instead of primarily hunting for flaws in core smart contracts, they are increasingly:
- targeting cross‑chain bridges and other shared infrastructure
- compromising private keys and operational controls
This trend is forcing the market to reassess how it prices and manages risk, with growing recognition that the overall safety of a platform is only as strong as the weakest asset it accepts as collateral.
Call for shared standards and coordinated security
Egorov urged DeFi builders to move toward universal security standards to reduce centralized failure points embedded in supposedly decentralized systems.
His proposal includes:
- collaborative frameworks among protocol developers, audit firms, and risk analysis teams
- coordinated efforts via entities such as the Ethereum Foundation and Solana Foundation
- consistent rules for assessing collateral, infrastructure, and integration risks
He stressed that hidden centralization exists at critical decision points and technical layers, including bridges, oracles, compilers, and governance controls, and that these can undermine the broader ecosystem when they fail.
Lessons from Curve’s own 2023 Vyper incident
Egorov referenced Curve’s 2023 Vyper compiler vulnerability, which exposed Curve pools to liquidation risks and rippled across DeFi markets.
That episode, he said, demonstrated how a bug in shared infrastructure — in this case, a widely used compiler — can impact multiple projects simultaneously, amplifying the damage beyond any single protocol.
Redundancy and “security first” architecture
To remove single points of failure, Egorov advocates for redundancy and rigorous testing across all layers of DeFi systems. He pointed to several priorities:
- code integrity: standardized audits of core libraries, compilers, and shared tooling
- risk parameters: transparent frameworks for stress‑testing collateral and liquidation scenarios
- governance controls: clear, pre‑defined emergency processes for cross‑protocol coordination
He argued that a transparent, industry‑wide framework for stress testing, auditing, and emergency response could form the basis of a more resilient DeFi architecture.
Voluntary standards over hard enforcement
Egorov acknowledged that strict mandatory rules may conflict with DeFi’s open and permissionless design. Instead, he suggested that “widely trusted” organizations could define best practices that protocols adopt voluntarily.
In his view, security spending should not be treated as a reactive cost following an exploit, but as an ongoing, shared responsibility necessary for the sector to scale without recurring crises.
Impact on traders and portfolio risk
The rsETH episode has underscored a key message for market participants: platform‑level security is not enough.
Traders now face mounting pressure to:
- scrutinize the design and security assumptions of each individual asset used on a platform
- pay particular attention to complex derivatives, restaked assets, and bridged tokens
- factor in the contagion risk that one compromised asset can pose across an entire portfolio
The shift underway is from a “yield first” mindset to a “security first” approach, where due diligence on asset architecture is treated as central to risk management.
Foundations move to harden ecosystems
Egorov’s call comes as major blockchain foundations step up their own security initiatives:
- Ethereum Foundation: on April 14, 2026, it launched a $1 million subsidy program to help projects pay for comprehensive security audits. Its 2026 roadmap includes a “Harden the L1” track dedicated to long‑term base‑layer security.
- Solana Foundation: in early April 2026, it introduced STRIDE, a framework to formally evaluate, monitor, and escalate security for projects in the Solana ecosystem.
These programs indicate growing recognition at the foundation level that fragmented, protocol‑by‑protocol defenses are no longer sufficient in an environment where shared infrastructure and integrated assets can turn isolated flaws into ecosystem‑wide shocks.
For a deeper dive into protecting your assets from DeFi exploits, explore Toobit’s security guide here today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
