By: Nancy, PANews
The aftermath of the Kelp DAO attack has seen significant progress in recovery efforts, with leading protocols stepping in to inject capital and expedite on-chain repairs. However, while financial gaps are being swiftly addressed, the more formidable challenge remains: rebuilding market trust. This pivotal event has triggered a dramatic realignment within the cross-chain ecosystem, profoundly impacting key players.
LayerZero, a prominent cross-chain leader caught in the eye of this storm, is experiencing an accelerated exodus of protocols. Its stance has shifted dramatically within weeks, from an initial denial of responsibility to a public apology and commitment to comprehensive reforms. Conversely, Chainlink has emerged as an unexpected beneficiary, with its Cross-Chain Interoperability Protocol (CCIP) absorbing substantial migrating liquidity and demonstrating remarkable growth in on-chain activity.
Chainlink’s Ascendance: A $3 Billion Security Dividend
Dubbed one of the largest DeFi security incidents of 2026 (Editor’s note: This date appears to be a typo in the original article, likely referring to a recent major event), the Kelp DAO attack has acted as a catalyst, accelerating the migration of on-chain liquidity across the decentralized finance landscape.
As the security concerns surrounding LayerZero continue to intensify, a growing number of DeFi protocols are re-evaluating their cross-chain risk exposure and actively seeking more robust and reliable alternatives. Over the past week, Chainlink has announced a series of high-profile migrations.
On May 9th, Chainlink officially disclosed that four major protocols—Kelp DAO, Solv Protocol, Re, and Tydro—have recently transitioned from their previous cross-chain bridge or oracle solutions to Chainlink CCIP. These migrations collectively represent a staggering Total Value Locked (TVL) exceeding $3 billion. Chainlink even strategically framed this shift as “The Great Migration,” underscoring the competitive intensity of the current market landscape.
This wave of migration fundamentally represents a strategic realignment driven by an uncompromising focus on security.
Beyond DeFi protocols seeking safer harbors, Chainlink has also garnered increasing interest from traditional financial institutions and burgeoning crypto projects in recent months.
- In March, Coinbase integrated its exchange market data directly on-chain for the first time, leveraging Chainlink’s innovative DataLink service. Concurrently, Amundi, Europe’s largest asset manager, partnered with Spiko to launch a tokenized public fund powered by Chainlink.
- April saw OpenAssets forge a strategic partnership with Chainlink to develop institutional asset tokenization infrastructure. Switzerland’s SIX Group, a major European stock exchange operator, collaborated with Chainlink to bring Swiss and Spanish stock market data onto the blockchain. Furthermore, AWS Marketplace listed Chainlink data services, bridging the gap between traditional cloud infrastructure and decentralized networks.
- In May, the U.S. Depository Trust & Clearing Corporation (DTCC) announced its adoption of Chainlink to construct a blockchain-based collateral management platform, aiming for 24/7 near real-time settlement. Separately, Huma Finance partnered with Chainlink to introduce institutional-grade yield products into the multi-chain ecosystem.
This continuous expansion of its ecosystem has naturally led to a significant surge in Chainlink’s on-chain activity. According to Santiment’s monitoring, Chainlink’s unique active addresses on May 9th and 10th soared past 282,000 and 264,000 respectively, marking its highest recorded figures since September 2025 (Editor’s note: This date also appears to be a typo in the original article, likely referring to a recent peak). This surge is primarily attributed to the recent large-scale infrastructure migrations by DeFi protocols.
Chainlink’s official data further indicates that the total value of its cross-chain tokens has now surpassed an impressive $61.8 billion, with CCIP alone accounting for $19.5 billion in transaction volume.
Market confidence is also clearly reflected in the dynamics of LINK token holdings. Santiment’s monitoring earlier this month revealed that Chainlink “whales” and “sharks”—addresses holding between 100,000 and 10 million LINK—collectively accumulated an additional 32.93 million LINK over the past month. Historically, such accumulation patterns often signal a strong bullish outlook. Indeed, LINK has seen an approximately 19.7% increase over the last 30 days.
LayerZero’s Trust Crisis: Apology and Remediation Under Pressure
LayerZero currently finds itself at the epicenter of a profound trust crisis, a situation exacerbated by recent events.
DefiLlama data paints a clear picture: LayerZero’s weekly bridge transaction volume has plummeted to approximately $470 million, approaching historic lows. The Kelp DAO attack has undeniably triggered a significant erosion of confidence in the protocol.
In the immediate aftermath of the hack, Kelp DAO initially attributed the vulnerability to LayerZero’s security infrastructure. LayerZero, however, swiftly refuted these claims, asserting that Kelp DAO’s accusations regarding the rsETH security incident were entirely unfounded.
This initial denial did little to quell the brewing controversy. The situation escalated last week when Bryan Pellegrino, co-founder and CEO of LayerZero Labs, engaged in a heated public debate with several security researchers within the ETHSecurity Community Telegram group.
At the heart of the dispute was the revelation that LayerZero Labs possessed the capability to immediately upgrade its default library contracts without a timelock. This theoretical ability to forge cross-chain messages had, for a period, exposed over $3 billion in LZ OFT assets to potential risk. Security researcher Banteg highlighted that several prominent projects, including Ethena and EtherFi, were still utilizing this default library weeks prior, leaving approximately $178 million in assets currently exposed.
Further compounding community concerns about key security, on-chain data also indicated that LayerZero’s multi-sig signer address had engaged in activities unrelated to its multi-sig responsibilities, such as Meme coin transactions, DEX swaps, and cross-chain bridging. Bryan acknowledged these operations were indeed performed by multi-sig team members but denied they constituted “Meme coin speculative trading,” clarifying that their purpose was merely to “test PEPE OFT functionality.” He confirmed that the involved members have since been removed.
To mitigate these identified risks, Bryan publicly urged project teams to transition from default configurations to “fixed configurations” as soon as possible. Following this, Banteg released a list of LayerZero projects still relying on the default library contract, calling for their urgent migration.
These revelations quickly ignited widespread industry discussion and criticism. Zach Rynes, Chainlink’s Head of Strategy, publicly critiqued LayerZero Labs, citing long-standing and severe OPSEC (operational security) failures within their multi-sig key management, which directly jeopardized billions of dollars in OFT asset security. Rynes further asserted that such attacks could have been entirely preventable had LayerZero and the broader industry genuinely heeded the persistent warnings issued by security researchers over the past few years.
Confronted with mounting public scrutiny and a continuous outflow of ecosystem participants, LayerZero’s stance underwent a significant transformation. On May 9th, LayerZero officially released a public apology statement, addressing the security incident and communication shortcomings of the preceding three weeks.
LayerZero Labs acknowledged that its internal RPC had been targeted by the Lazarus Group over the past three weeks, compromising the integrity of its Decentralized Verifier Network (DVN) source. Additionally, external RPC providers experienced DDoS attacks. The protocol emphasized that this incident impacted only 0.14% of applications and approximately 0.36% of asset value, affirming that the LayerZero protocol itself remained unaffected, with over $9 billion in assets continuing to flow normally across chains post-incident.
Crucially, LayerZero Labs for the first time admitted responsibility for management oversight, acknowledging the single point of failure risk inherent in previously allowing DVN to secure high-value transactions with a “1/1” single-node configuration. The official statement also disclosed a past incident, three and a half years ago, where a multi-sig signer misused a multi-sig hardware wallet for personal transactions; this signer has since been removed, and the associated wallet rotated.
In response to these challenges, LayerZero Labs has unveiled a comprehensive suite of security upgrade measures:
- They have ceased providing services for 1/1 DVN configurations.
- All path default configurations are being migrated to 5/5 multi-signature schemes, with a mandated minimum of 3/3.
- A second Rust-based DVN client has been developed to enhance client diversity.
- A dedicated multi-sig tool, OneSig, has been launched to further bolster security.
Furthermore, LayerZero has committed over 10,000 ETH to the DeFi United rescue operation, with 5,000 ETH allocated to a dedicated fund and the remaining 5,000 ETH reserved for Aave.
Despite the escalating controversies, LayerZero has not entirely lost its foothold in the market. Key assets such as Ethena’s USDe product, EtherFi’s weETH assets, and BitGo’s WBTC continue to utilize LayerZero’s OFT standard, indicating a persistent, albeit challenged, market presence.
The Evolving Landscape: Security as the Ultimate Differentiator
Every significant security crisis inevitably leads to a redistribution of liquidity and influence within the crypto ecosystem. As the industry continues its trajectory towards integration with mainstream financial markets, the evaluation standards for underlying infrastructure will become increasingly stringent. In this evolving landscape, robust security capabilities are rapidly solidifying their position as one of the most critical core competencies and a decisive competitive advantage.
(The above content is an authorized excerpt and reprint from our partner PANews. Original link)
Disclaimer: This article provides market information only. All content and views are for reference only and do not constitute investment advice, nor do they represent the views and positions of BlockTempo. Investors should make their own decisions and trades. The author and BlockTempo will not be liable for any direct or indirect losses incurred by investors’ transactions.
