30 Billion DeFi Capital Exodus: LayerZero Stumbles, Chainlink Feasts

Original author: Nancy, PANews

As several leading protocols stepped in to provide funding, rapidly closing the capital gap and advancing on-chain remediation, the rescue efforts for the Kelp DAO attack have recently seen substantial progress. However, compared to financial recovery, restoring market trust remains a far more difficult challenge.

LayerZero, the cross-chain leader at the center of this storm, is facing an accelerated exodus of protocols and has been forced to make a sharp U-turn in its stance within just a few weeks, shifting from initial finger-pointing and blame-shifting to a public apology and the initiation of corrective measures. In contrast, Chainlink has unexpectedly emerged as a beneficiary of this crisis, with its CCIP protocol absorbing a significant amount of migrated liquidity and witnessing a notable surge in on-chain data.

$3 Billion Migrated in a Single Week, Chainlink Capitalizes on Security Dividend

As the largest DeFi security incident to date in 2026, the Kelp DAO attack has accelerated the migration of on-chain liquidity.

As the controversy over LayerZero's security continues to escalate, an increasing number of DeFi protocols are reassessing cross-chain risks and actively seeking more reliable safe havens. Over the past week, Chainlink has announced multiple migration cases in quick succession.

On May 9th, Chainlink officially disclosed that four protocols, including Kelp DAO, Solv Protocol, Re, and Tydro, have recently abandoned their original cross-chain bridges or oracle solutions and migrated to Chainlink CCIP. The combined Total Value Locked (TVL) of these protocols exceeds $30 billion. Chainlink even specifically used the phrase "The Great Migration" to promote this ecological shift, signaling a clear competitive stance.

Behind this wave of migration is a realignment based on security concerns.

Beyond DeFi protocols realigning due to security concerns, Chainlink has also been steadily gaining favor from traditional financial institutions and crypto projects in recent months.

In March this year, Coinbase used Chainlink's newly launched DataLink service to bring its exchange market data directly on-chain for the first time. Europe's largest asset manager, Amundi, partnered with Spiko to launch a tokenized public fund based on Chainlink.

In April, OpenAssets formed a strategic partnership with Chainlink to offer asset tokenization infrastructure solutions for institutions. SIX Group, the operator of a major European stock exchange, collaborated with Chainlink to bring Swiss and Spanish stock market data on-chain. Chainlink data services were also listed on AWS Marketplace, bridging traditional cloud computing with blockchain.

In May, The Depository Trust & Clearing Corporation (DTCC) announced the adoption of Chainlink to build a blockchain-based collateral management platform, aiming for 24/7 near-real-time settlement. Huma Finance partnered with Chainlink to introduce institutional-grade yield products to the multi-chain ecosystem.

Alongside this ecological expansion, Chainlink's on-chain activity has also noticeably heated up. According to Santiment monitoring, Chainlink's unique active addresses on May 9th and 10th exceeded 282,000 and 264,000 respectively, marking the highest record since September 2025. Santiment noted this was primarily driven by the large-scale migration of infrastructure by DeFi protocols recently.

Meanwhile, Chainlink official data shows that the total value of tokens bridged via its network has exceeded $61.8 billion, with CCIP transaction volume reaching $19.5 billion.

Market confidence is also reflected in the changes in LINK token holdings. According to Santiment monitoring earlier this month, Chainlink whale and shark addresses holding between 100,000 and 10 million LINK accumulated over 32.93 million LINK in the past month. Historically, this is often a strong bullish signal. Over the past 30 days, LINK has risen by approximately 19.7%.

LayerZero Faces Crisis of Confidence, Official Issues Urgent Apology and Rectification

Currently, LayerZero is mired in a crisis of trust.

According to DefiLlama data, LayerZero's weekly Bridge transaction volume has dropped to approximately $470 million, nearing historic lows. This attack incident has plunged LayerZero into a trust crisis.

In the early stages of the hack, Kelp DAO attributed the vulnerability to LayerZero's security issues. Subsequently, LayerZero quickly denied responsibility, stating that many of Kelp DAO's allegations regarding the rsETH security incident were entirely false.

However, the controversy did not subside. Last week, LayerZero Labs co-founder and CEO Bryan Pellegrino engaged in a heated debate with several security researchers in the ETHSecurity Community Telegram group.

The central point of contention was that LayerZero Labs could immediately upgrade the default library contract without a timelock, theoretically allowing the forgery of cross-chain messages. This exposed over $3 billion worth of LZ OFT assets to potential risk over the past period. Security researcher Banteg pointed out that several major projects, including Ethena and EtherFi, were still using this default library weeks ago, and approximately $178 million in assets remain at risk.

Meanwhile, on-chain data also revealed that a LayerZero multi-signature address had engaged in Meme coin trading, DEX swaps, and cross-chain bridging – operations unrelated to its multi-sig duties – further raising community concerns about key security. In response, Bryan admitted that the relevant operations were indeed performed by a member of the multi-sig team but denied they were "speculative Meme coin trading," stating the purpose was solely to "test the PEPE OFT functionality." He added that the member in question had been removed.

To mitigate risk, Bryan also publicly advised projects to urgently replace default configurations with "fixed configurations." Subsequently, Banteg published a list of LayerZero projects still using the default library contract and urged the relevant protocols to migrate as soon as possible.

These remarks quickly sparked industry discussion and criticism. Chainlink's Head of Strategy, Zach Rynes, posted criticism of LayerZero Labs, stating that its multi-signature keys had long suffered from severe OPSEC (Operational Security) failures, directly exposing billions of dollars in OFT assets to security risks. He further stated that if LayerZero and the industry had truly heeded the warnings persistently issued by security researchers over the past few years, such an attack could have been entirely avoided.

Facing market backlash and continuous ecological bleeding, LayerZero's stance underwent a significant shift. On May 9th, LayerZero officially released a public apology statement, addressing the security incidents and communication issues of the past three weeks.

LayerZero Labs stated that its internal RPC had been attacked by the Lazarus Group over the past three weeks, compromising the true source of its DVN (Decentralized Verification Network), while its external RPC provider also suffered a DDOS attack. The incident affected only 0.14% of applications and approximately 0.36% of asset value. The LayerZero protocol itself was unaffected, with over $9 billion in assets still flowing normally across chains after the event.

However, LayerZero Labs also admitted for the first time that allowing DVNs to provide security for high-value transactions with a "1/1" single-node configuration posed a single point of failure risk and acknowledged its supervisory oversight failure. The official also disclosed that three and a half years ago, a multi-signature signer had misused a multi-sig hardware wallet for personal transactions; this signer has been removed, and the relevant wallets have been rotated.

Regarding subsequent rectifications, LayerZero Labs announced a series of security upgrade measures, including ceasing service for 1/1 DVN configurations, migrating all path default configurations to 5/5 multi-sig (minimum 3/3), developing a second DVN client based on Rust for client diversity, launching a dedicated multi-sig tool called OneSig to enhance signature security, and introducing a unified management platform, Console, for asset issuance configuration and anomaly detection.

Additionally, LayerZero contributed over 10,000 ETH to the DeFi United relief operation, with 5,000 ETH allocated to a fund and the remaining 5,000 ETH reserved for Aave.

Despite the escalating controversy, LayerZero has not entirely lost the market. Major assets like Ethena's USDe product, EtherFi's weETH asset, and BitGo's WBTC continue to use LayerZero's OFT standard.

Every major security crisis represents a redistribution of liquidity and influence. As the crypto industry gradually moves towards mainstream financial markets, the criteria for evaluating underlying infrastructure will become increasingly stringent, and security capabilities are emerging as a core competitive advantage.