This rsETH security incident mainly boils down to a lack of risk awareness. LayerZero's design allows each application to independently configure the number and threshold of DVNs, and KelpDAO chose a 1/1 DVN setup. In other words, a single validator confirmation is enough to pass cross-chain messages, which makes this single-signature setup very insecure. But why does L0 even support this configuration by default? I feel like that's also an issue. The most directly impacted right now are lending protocols. Aave is the most affected, with KelpDAO's direct losses estimated at around $290 million. The attacker used unbacked rsETH as collateral, deposited it into Aave, and borrowed a large amount of real ETH. This impact needs to be recalculated and analyzed. Aave will likely need to activate Umbrella backup funds and protocol reserves to cover the losses.