3 tỷ USD DeFi di cư: LayerZero gục ngã, Chainlink no đủ

Original author: Nancy, PANews

As multiple leading protocols stepped in to inject capital, quickly bridging funding gaps and advancing on-chain remediation, the rescue operation following the Kelp DAO attack has recently made substantial progress. However, compared to financial recovery, restoring market trust remains a far more difficult challenge.

At the center of this storm, the cross-chain leader LayerZero is facing an accelerated exodus of protocols, and has been forced into a dramatic shift in attitude within just a few weeks – from initially deflecting blame to now publicly apologizing and initiating corrective measures. Conversely, Chainlink has unexpectedly emerged as a beneficiary of this crisis, with its CCIP protocol absorbing a substantial influx of migrated liquidity, reflected in a significant uptick in on-chain data.

$3 Billion Migrated in a Single Week: Chainlink Capitalizes on Security Dividends

As the largest DeFi security incident to date in 2026, the Kelp DAO attack has accelerated the migration of on-chain liquidity.

As the security controversy surrounding LayerZero continues to unfold, a growing number of DeFi protocols are reassessing cross-chain risks and proactively seeking more reliable safe havens. Over the past week, Chainlink has announced multiple migration cases.

On May 9, Chainlink officially disclosed that four protocols – including Kelp DAO, Solv Protocol, Re, and Tydro – have recently abandoned their original cross-chain bridges or oracle solutions, migrating to Chainlink CCIP. The combined Total Value Locked (TVL) of these protocols exceeds $30 billion. Chainlink even specifically used the phrase "The Great Migration" to promote this ecological shift, underscoring the competitive tension.

Behind this wave of migration is a realignment based on security considerations.

Beyond DeFi protocols realigning due to security concerns, Chainlink has also been steadily gaining favor from traditional financial institutions and crypto projects in recent months.

In March this year, Coinbase used Chainlink's newly launched DataLink service to put its exchange market data directly on-chain for the first time; Amundi, Europe's largest asset manager, partnered with Spiko to launch a tokenized public fund based on Chainlink.

In April, OpenAssets entered into a strategic partnership with Chainlink to launch an asset tokenization infrastructure solution for institutions; SIX Group, the operator of major European stock exchanges, collaborated with Chainlink to bring Swiss and Spanish stock market data on-chain; Chainlink data services went live on the AWS Marketplace, connecting traditional cloud services with blockchain.

In May, the Depository Trust & Clearing Corporation (DTCC) announced it would integrate Chainlink to build a blockchain-based collateral management platform, aiming for 24/7 near-real-time settlement; Huma Finance partnered with Chainlink to introduce institutional-grade yield products into a multi-chain ecosystem.

Alongside this expanding ecosystem, Chainlink's on-chain activity has also noticeably heated up. According to Santiment monitoring, Chainlink's unique active addresses surpassed 282,000 and 264,000 on May 9 and 10 respectively, setting a record since September 2025. Santiment noted this was primarily influenced by the recent large-scale migration of infrastructure by DeFi protocols.

Meanwhile, Chainlink's official data shows that the total value of tokens bridged across its network has exceeded $61.8 billion, with CCIP transaction volume reaching $19.5 billion.

Market confidence is also reflected in the changes in LINK token holdings. According to Santiment monitoring earlier this month, Chainlink whale and shark addresses holding between 100,000 and 10 million LINK accumulated a total of 32.93 million LINK over the past month. Historically, this is often a strong bullish signal. Over the past 30 days, LINK has risen by approximately 19.7%.

LayerZero Faces Crisis of Confidence, Issues Emergency Apology and Initiates Remediation

Currently, LayerZero is mired in a crisis of confidence.

According to DefiLlama data, LayerZero's weekly Bridge transaction volume has dropped to approximately $470 million, approaching historic lows. This attack event has thrust LayerZero into a trust crisis.

In the early stages following the hack, Kelp DAO attributed the vulnerability exploit to LayerZero's security issues. Subsequently, LayerZero quickly denied responsibility, stating that Kelp DAO's multiple allegations regarding the rsETH security incident were completely unfounded.

However, the controversy did not subside. Last week, LayerZero Labs co-founder and CEO Bryan Pellegrino engaged in a heated debate with several security researchers in the ETHSecurity Community Telegram group.

The core of the controversy was that LayerZero Labs could immediately upgrade default library contracts without a timelock, theoretically allowing them to forge cross-chain messages. This exposed over $30 billion in LZ OFT assets to potential risk over the past period. Security researcher Banteg pointed out that some major projects, including Ethena and EtherFi, were still using this default library weeks ago, and approximately $178 million in assets remain exposed.

At the same time, on-chain data also showed that some LayerZero multisig signatory addresses had engaged in Meme coin transactions, DEX swaps, and cross-chain bridging unrelated to their multisig duties, further raising community concerns about key security. In response, Bryan admitted that the related operations were carried out by multisig team members but denied they were "Meme coin speculative trading," stating the purpose was merely "testing PEPE OFT functionality." He said the relevant member has been removed.

To mitigate risk, Bryan also publicly advised project teams to adopt "fixed configurations" instead of default configurations as soon as possible. Subsequently, Banteg also released a list of LayerZero projects still using the default library contract and urged related protocols to migrate promptly.

These remarks quickly sparked industry discussion and skepticism. Chainlink's Head of Strategy, Zach Rynes, criticized LayerZero Labs in a post, stating that its multisig keys had long suffered from serious OPSEC (Operational Security) lapses, directly exposing billions of dollars in OFT asset security risks. He further stated that such an attack could have been entirely avoided if LayerZero and the industry had seriously heeded the warnings persistently raised by security researchers over the past few years.

Facing public opinion and a continuous drain on its ecosystem, LayerZero's stance has undergone a significant shift. On May 9, LayerZero officially issued a public apology, addressing the security incident and communication issues of the past three weeks.

LayerZero Labs stated that its internal RPC had been attacked by the Lazarus Group over the past three weeks, compromising the true source of its DVN (Decentralized Verification Network), and simultaneously its external RPC provider suffered a DDOS attack. This incident affected only 0.14% of applications and approximately 0.36% of asset value. The LayerZero protocol itself was unaffected, and over $90 billion in assets continued to flow normally across chains after the event.

However, LayerZero Labs also acknowledged for the first time that it had previously allowed DVNs to provide security for high-value transactions using a "1/1" single-node configuration, posing a single point of failure risk, for which it bears management oversight responsibility. The company also disclosed that, three and a half years ago, one multisig signer had mistakenly used a multisig hardware wallet for personal transactions. This signer has been removed, and the relevant wallets have been rotated.

Regarding subsequent remedial actions, LayerZero Labs announced a series of security upgrade measures, including ceasing service for 1/1 DVN configurations and migrating all path default configurations to a 5/5 multisig, with a minimum threshold of no less than 3/3; developing a second, Rust-based DVN client for client diversity; launching a dedicated multisig tool called OneSig to enhance signature security; and launching a unified management platform, Console, for asset issuance configuration and anomaly detection.

Additionally, LayerZero has contributed over 10,000 ETH in this DeFi United rescue operation, with 5,000 ETH allocated to a fund and the remaining 5,000 ETH reserved for Aave.

Despite the escalating controversy, LayerZero has not completely lost the market. Major assets, including Ethena's USDe product, EtherFi's weETH asset, and BitGo's WBTC, continue to use LayerZero's OFT standard.

Every major security crisis brings a redistribution of liquidity and influence. As the crypto industry gradually moves towards mainstream financial markets, the criteria for evaluating underlying infrastructure will become increasingly stringent, and security capabilities are emerging as a core competitive advantage.