Author: Nancy, PANews

With several leading protocols providing financial support to quickly fill the funding gap and advance on-chain repairs, the rescue efforts following the Kelp DAO attack have recently made substantial progress. However, compared to restoring funding, rebuilding market trust remains far more difficult.

LayerZero, the leading cross-chain platform at the center of this storm, is facing accelerated withdrawal of many protocols and has been forced to drastically change its attitude in just a few weeks, from initially shifting blame to now issuing a public apology and initiating rectification. Chainlink, on the other hand, has unexpectedly become a beneficiary of this crisis, with its CCIP protocol absorbing a large amount of migrated liquidity and showing a significant increase in on-chain data.

Chainlink reaps the security benefits of $3 billion in migrations in a single week.

As the biggest DeFi security incident so far in 2026, the Kelp DAO attack has accelerated the migration of on-chain liquidity.

As the security controversy surrounding LayerZero continues to escalate, more and more DeFi protocols are beginning to reassess cross-chain risks and proactively seek more reliable safe havens. In the past week, Chainlink has announced a number of migration cases.

On May 9th, Chainlink officially announced that four protocols, including Kelp DAO, Solv Protocol, Re, and Tydro, have recently abandoned their original cross-chain bridge or oracle solutions and migrated to Chainlink CCIP. The total TVL of these protocols exceeds $3 billion. The official announcement even included the phrase "The Great Migration," effectively generating buzz for this ecosystem shift.

Behind this migration wave lies a realignment over security.

Besides DeFi protocols that have re-aligned themselves due to security concerns, Chainlink has also been gaining favor from traditional financial institutions and crypto projects in recent months.

In March of this year, Coinbase, through Chainlink's newly launched DataLink service, for the first time put its exchange market data directly on the blockchain; Amundi, Europe's largest asset management firm, partnered with Spiko to launch a tokenized public fund based on Chainlink.

In April, OpenAssets and Chainlink reached a strategic partnership to launch an asset tokenization infrastructure solution for institutions; SIX Group, a major European stock exchange operator, joined hands with Chainlink to promote the on-chaining of stock market data in Switzerland and Spain; and AWS Marketplace launched Chainlink data services, connecting traditional cloud and blockchain.

In May, the U.S. Depository Trust & Clearing Corporation (DTCC) announced the introduction of Chainlink to build a blockchain collateral management platform, aiming to achieve near real-time settlement around the clock; Huma Finance partnered with Chainlink to introduce institutional-grade yield products into the multi-chain ecosystem.

As the ecosystem continues to expand, on-chain activity on Chainlink has also increased significantly. According to Santiment monitoring, the number of unique active addresses on Chainlink exceeded 282,000 and 264,000 on May 9th and 10th respectively, setting a record high since September 2025. Santiment pointed out that this was mainly due to the recent large-scale migration of infrastructure by DeFi protocols.

Meanwhile, Chainlink's official data shows that the total value of its cross-chain tokens has exceeded $61.8 billion, of which CCIP trading volume has reached $19.5 billion.

Market confidence is also reflected in changes in LINK token holdings. According to Santiment's monitoring earlier this month, Chainlink whale and shark addresses holding between 100,000 and 10 million LINK tokens have cumulatively increased their holdings by 32.93 million LINK tokens in the past month. Historically, this is usually a strong bullish signal. In the past 30 days, LINK has risen by approximately 19.7%.

LayerZero faces a crisis of trust; the company has issued an urgent apology and is making rectifications.

Currently, LayerZero is facing a crisis of trust.

According to DefiLlama data, LayerZero's Bridge trading volume this week has fallen to approximately $470 million, nearing its historical low. This attack has plunged LayerZero into a crisis of confidence.

In the initial stages of the hacking incident, Kelp DAO attributed the vulnerability to security issues with LayerZero. LayerZero subsequently denied responsibility, stating that Kelp DAO's numerous accusations regarding the rsETH security incident were completely unfounded.

But the controversy did not subside. Last week, Bryan Pellegrino, co-founder and CEO of LayerZero Labs, had a heated debate with several security researchers in the ETHSecurity Community Telegram group.

The crux of the controversy lies in LayerZero Labs' ability to instantly upgrade the default library contract without time locks, theoretically enabling the forgery of cross-chain messages. This has exposed over $3 billion in LZ OFT assets to potential risks over the past period. Security researcher Banteg points out that some mainstream projects, including Ethena and EtherFi, were still using this default library weeks ago, and approximately $178 million in assets remain exposed to risk.

Meanwhile, on-chain data also revealed that the LayerZero multisignature address had been involved in operations unrelated to multisignature responsibilities, such as Meme coin transactions, DEX swaps, and cross-chain bridging, further raising community concerns about key security. In response, Bryan acknowledged that these operations were indeed performed by members of the multisignature team, but denied that they constituted "Meme coin speculative trading," stating that their purpose was merely to "test the PEPE OFT functionality," and indicated that the relevant members had been removed.

To mitigate risks, Bryan publicly advised projects to adopt "fixed configurations" instead of default configurations as soon as possible. Subsequently, Banteg also released a list of LayerZero projects still using default library contracts and called for the relevant protocols to migrate as soon as possible.

These remarks quickly sparked discussion and skepticism within the industry. Zach Rynes, Chainlink's head of strategy, criticized LayerZero Labs, stating that its multisignature keys had long suffered from serious OPSEC (Operational Security Principles) flaws, directly exposing billions of dollars in OFT assets to security risks. He further stated that such attacks could have been completely avoided if LayerZero and the industry had truly heeded the warnings repeatedly issued by security researchers over the past few years.

Faced with continued market backlash and ecosystem damage, LayerZero's attitude has clearly shifted. On May 9th, LayerZero officially issued a public apology statement, responding to the security incidents and communication problems that occurred over the past three weeks.

LayerZero Labs stated that its internal RPC was attacked by the Lazarus Group over the past three weeks, resulting in the loss of the true source of its DVN (Decentralized Validation Network), while its external RPC provider suffered a DDoS attack. The incident only affected 0.14% of applications and approximately 0.36% of asset value; the LayerZero protocol itself was unaffected, and over $9 billion in assets continued to flow normally across blockchains after the incident.

However, LayerZero Labs also admitted for the first time that allowing DVN to provide security for high-value transactions with a "1/1" single-node configuration posed a single point of failure risk, and that it bore responsibility for oversight in this matter. The company also disclosed that three and a half years ago, a multi-signature signer mistakenly used a multi-signature hardware wallet for personal transactions; this signer has been removed, and the relevant wallet has been rotated.

In response to the subsequent rectification, LayerZero Labs announced a series of security upgrades, including ceasing to provide services for 1/1 DVN configurations and migrating all default path configurations to 5/5 multisignature, with a minimum of 3/3; developing a second DVN client based on Rust to achieve client diversity; launching a dedicated multisignature tool, OneSig, to improve signature security; and launching a unified management platform, Console, for asset issuance configuration and abnormal behavior detection.

In addition, LayerZero also contributed over 10,000 ETH to the DeFi United rescue effort, of which 5,000 ETH will be used for the fund and the remaining 5,000 ETH will be reserved for Aave.

Despite the escalating controversy, LayerZero has not completely lost its market share. Major assets, including Ethena's USDe product, EtherFi's weETH asset, and BitGo's WBTC, continue to use LayerZero's OFT standard.

Every major security crisis is a redistribution of liquidity and power. As the crypto industry gradually moves into the mainstream financial market, the market's evaluation criteria for underlying infrastructure will become increasingly stringent, and security capabilities are becoming one of the core competitive advantages.

SlowMist: node-ipc has been compromised again, with three malicious versions carrying credentials to steal the load.

Popular Articles