3 Billion DeFi Capital Migration: LayerZero Stumbles, Chainlink Gains

Original article by: Nancy, PANews

As several leading protocols stepped in to provide liquidity, quickly filling the funding gap and advancing on-chain remediation, the rescue operation following the Kelp DAO attack has recently seen substantial progress. However, compared to financial recovery, restoring market trust remains the more difficult challenge.

LayerZero, the cross-chain leader at the epicenter of this storm, is facing an accelerated exodus of protocols. It has also been forced to dramatically shift its stance within just a few weeks—from initially shifting blame to now issuing a public apology and initiating corrective measures. Conversely, Chainlink has unexpectedly emerged as a beneficiary of this crisis, with its CCIP protocol absorbing a significant influx of migrated liquidity, evidenced by a notable increase in on-chain data.

Securing $3 Billion in Migrations in a Single Week, Chainlink Capitalizes on Security Concerns

As the largest DeFi security incident to date in 2026, the Kelp DAO attack is accelerating the migration of on-chain liquidity.

As the controversy surrounding LayerZero's security continues to escalate, an increasing number of DeFi protocols are reassessing cross-chain risks and actively seeking more reliable safe havens. Over the past week, Chainlink has announced several migration cases in rapid succession.

On May 9th, Chainlink officially disclosed that four protocols, including Kelp DAO, Solv Protocol, Re, and Tydro, have recently abandoned their original cross-chain bridge or oracle solutions and migrated to Chainlink CCIP. The combined Total Value Locked (TVL) of these related protocols exceeds $30 billion. Chainlink even used the phrase "The Great Migration" to promote this ecosystem shift, underscoring the competitive tension.

Behind this wave of migration is a realignment driven by security considerations.

Beyond DeFi protocols re-evaluating their positions due to security concerns, Chainlink has also been consistently gaining favor from traditional financial institutions and crypto projects in recent months.

In March of this year, Coinbase used Chainlink's newly launched DataLink service to bring its exchange market data directly on-chain for the first time. Amundi, Europe's largest asset manager, partnered with Spiko to launch a tokenized public fund based on Chainlink.

In April, OpenAssets entered a strategic partnership with Chainlink to offer asset tokenization infrastructure solutions for institutions. SIX Group, a major European stock exchange operator, collaborated with Chainlink to bring Swiss and Spanish stock market data on-chain. AWS Marketplace listed Chainlink data services, connecting traditional cloud infrastructure with blockchain.

In May, the Depository Trust & Clearing Corporation (DTCC) announced the integration of Chainlink to build a blockchain-based collateral management platform, aiming for near-real-time, 24/7 settlement. Huma Finance partnered with Chainlink to introduce institutional-grade yield products to a multi-chain ecosystem.

Alongside this expanding ecosystem, on-chain activity for Chainlink has also heated up significantly. According to Santiment, Chainlink's unique active addresses surpassed 282,000 and 264,000 on May 9th and 10th, respectively, marking the highest levels since September 2025. Santiment attributes this surge primarily to the recent large-scale migration of DeFi protocol infrastructure.

Meanwhile, Chainlink's official data shows that the total value of cross-chain tokens secured by its network has exceeded $61.8 billion, with CCIP transaction volume reaching $19.5 billion.

Market confidence is also reflected in the changes in LINK token holdings. According to Santiment data from earlier this month, over the past 30 days, Chainlink whale and shark addresses holding between 100,000 and 10 million LINK accumulated an additional 32.93 million LINK. Historically, this is often a strong bullish signal. Over the past 30 days, LINK has appreciated by approximately 19.7%.

LayerZero Faces a Crisis of Confidence, Official Issues Urgent Apology and Undertakes Corrective Measures

Currently, LayerZero is in the midst of a crisis of confidence.

According to DefiLlama data, LayerZero's weekly Bridge transaction volume has dropped to approximately $470 million, nearing historical lows. This attack has plunged LayerZero into a trust crisis.

In the early stages of the hack incident, Kelp DAO attributed the vulnerability exploit to LayerZero's security flaws. LayerZero quickly denied responsibility, stating that Kelp DAO's multiple allegations regarding the rsETH security incident were completely unfounded.

However, the controversy did not subside. Last week, Bryan Pellegrino, co-founder and CEO of LayerZero Labs, engaged in a heated debate with several security researchers in the ETHSecurity Community Telegram group.

The core of the dispute centers on the fact that LayerZero Labs could instantly upgrade the default library contracts (which lack timelocks), theoretically allowing the forgery of cross-chain messages. This exposed over $30 billion worth of LZ OFT assets to potential risk for a period. Security researcher Banteg pointed out that major projects like Ethena and EtherFi were still using this default library just weeks ago, and approximately $178 million in assets remain exposed to risk.

Concurrently, on-chain data also revealed that addresses holding the LayerZero multisig keys had engaged in activities unrelated to their multisig duties, such as Meme coin trading, DEX swaps, and cross-chain bridging. This further raised community concerns about key security. In response, Bryan acknowledged that these actions were indeed performed by members of the multisig team but denied they constituted "Meme coin speculation," stating the purpose was merely "testing the PEPE OFT functionality." He added that the involved members have since been removed.

To mitigate risk, Bryan also publicly advised projects to urgently adopt "fixed configurations" instead of relying on default configurations. Subsequently, Banteg published a list of LayerZero projects still using the default library contract and called for relevant protocols to migrate as soon as possible.

These remarks quickly triggered discussions and skepticism within the industry. Chainlink's Head of Strategy, Zach Rynes, criticized LayerZero Labs in a post, stating that its multisig keys have long suffered from severe OPSEC (Operations Security) failures, directly exposing billions of dollars in OFT asset security. He further argued that if LayerZero and the industry had genuinely heeded the continuous warnings from security researchers over the past few years, such an attack could have been entirely prevented.

Faced with mounting public opinion and a continuous drain on its ecosystem, LayerZero's stance underwent a clear shift. On May 9th, LayerZero's official account issued a public apology statement, addressing the security incident of the past three weeks and related communication issues.

LayerZero Labs stated that its internal RPC had been attacked by the Lazarus Group over the past three weeks, compromising the integrity of the source for its DVN (Decentralized Verification Network), while external RPC providers also suffered DDoS attacks. The event affected only 0.14% of applications and approximately 0.36% of asset value, with the LayerZero protocol itself remaining unaffected. Over $90 billion in assets continued to flow normally across chains following the incident.

However, LayerZero Labs also acknowledged for the first time that it had previously allowed DVNs operating in a "1/1" single-node configuration to provide security for high-value transactions, creating a single point of failure risk, for which it bears managerial oversight responsibility. The official disclosure also mentioned that, three and a half years ago, a multisig signer had mistakenly used the multisig hardware wallet for personal transactions. This signer has since been removed, and the relevant wallets have been rotated.

Regarding subsequent corrective actions, LayerZero Labs announced a series of security upgrade measures. These include ceasing to support 1/1 DVN configurations and migrating all path default configurations to 5/5 multisig, with a minimum of 3/3. They are developing a second DVN client based on Rust to achieve client diversity. A dedicated multisig tool called OneSig is being launched to enhance signature security. Furthermore, a unified management platform called Console has been launched for asset issuance configuration and anomaly detection.

Additionally, LayerZero contributed over 10,000 ETH to the DeFi United bailout initiative, with 5,000 ETH dedicated to a fund and the remaining 5,000 ETH reserved for Aave.

Despite the escalating controversy, LayerZero has not entirely lost market ground. Major assets like Ethena's USDe product, EtherFi's weETH asset, and BitGo's WBTC continue to use LayerZero's OFT standard.

Every major security crisis results in a redistribution of liquidity and influence. As the crypto industry increasingly moves toward mainstream financial markets, the criteria for evaluating underlying infrastructure will become increasingly stringent, with security capabilities emerging as a core competitive advantage.