NewsFlash Articles Data Fundraising Skill&API

KelpDAO Theft Aftermath: $4 Billion in Assets Drained to LayerZero, Chainlink Emerges as Primary Beneficiary

Foresight News

Read this article in 10 Minutes

Wall Collapses and Crowd Flees? $2.92 Billion Exploit Triggers Cross-Chain Protocol Reshuffling.

Original Title: "LayerZero Cross-Chain Crisis Results in $4 Billion Asset Drain, Is Chainlink the Surprising Main 'Beneficiary'?"
Original Author: Nicky, Foresight News

Since the KelpDAO cross-chain bridge suffered a ~$2.92 billion attack in April this year, the security landscape of cross-chain infrastructure has been undergoing a fierce reshuffle. It is estimated that approximately $4 billion in assets have now completed or are in the process of migrating from LayerZero to Chainlink's Cross-Chain Interoperability Protocol (CCIP).

The attack occurred in the early hours of April 19, with the attacker invoking a function in the LayerZero Endpoint V2 contract, triggering the release of approximately 116,500 rsETH tokens, worth around $2.92 billion, from the KelpDAO bridging contract. The protocol's emergency pause mechanism subsequently prevented further losses of around $1 billion.

Following the attack, LayerZero released a statement stating that the attacker was preliminarily identified as a highly sophisticated nation-state actor, suspected to be the Lazarus Group's affiliate TraderTraitor from North Korea.

The core of the attack lay in contaminating the RPC nodes relied upon by LayerZero's decentralized validator network and using DDoS attacks to force system failover to the compromised nodes, allowing forged messages to pass through. The key point of contention in the event was that KelpDAO was using a 1-of-1 single-validator configuration, which was exploited and led to a single point of failure.

LayerZero acknowledged that allowing its official validator network to serve high-value transactions with a 1/1 configuration was a grave mistake and announced the cessation of setting sign messages for single validators. KelpDAO, on the other hand, pointed out that this configuration had appeared as a default setting in LayerZero's deployment code. Regardless of the allocation of responsibility, this attack exposed the vulnerability of cross-chain message verification under specific configurations.

The migration wave then began, and on May 6, the victim KelpDAO first announced its abandonment of LayerZero, fully shifting the cross-chain infrastructure of rsETH to Chainlink's CCIP, becoming the first major protocol to depart.

Two days later, the Bitcoin collateralization protocol Solv Protocol switched its total holdings exceeding $700 million of SolvBTC and xSolvBTC cross-chain infrastructure to CCIP, covering all supported chains.

On the same day, the decentralized reinsurance protocol Re also migrated the cross-chain solution of its stablecoin reUSD to CCIP, designating it as the sole cross-chain solution. The non-custodial lending protocol Tydro also made it to the first batch of migrations.

On May 14, Kraken announced the replacement of LayerZero with Chainlink CCIP as its exclusive cross-chain service for wrapped assets, including wrapped Bitcoin kBTC, covering multiple blockchains such as Ink, Ethereum, and Optimism. On the 16th, Lombard announced the deprecation of LayerZero, migrating over $1 billion worth of Bitcoin-backed assets to CCIP, adopting a burn-and-mint cross-chain token standard.

According to DefiLlama data, considering only the current total value locked of major DeFi protocols, the combined scale of these five projects has exceeded $3.4 billion, with institutional wrapped assets adding up to an estimated migration scale of around $4 billion.

In December 2025, Coinbase had already chosen CCIP as the exclusive interoperability provider for all its wrapped assets, covering assets like cbBTC, cbETH, cbDOGE, cbLTC, cbADA, and cbXRP, with a total market value of approximately $7 billion at that time. In January 2024, Circle had also integrated with CCIP to support multi-chain transfers of USDC.

The market's response to this trust migration is directly reflected in the token trends.

According to CoinMarketCap data, LINK has seen a 2.73% increase in the past 30 days, trading at $9.6 with a market cap of $6.98 billion, holding the 16th position in the crypto market. In comparison, ZRO has experienced a 22.63% drop during the same period, priced at $1.34 with a market cap of $434 million, slipping to the 92nd position. LayerZero is also facing additional pressure on May 20 with the unlocking of over 25.71 million ZRO tokens, valued at around $34.45 million, accounting for 5.07% of the circulating supply.

According to Dune data, LayerZero Network has witnessed a net outflow of approximately $2.01 billion in the past 30 days.

Behind the influx of many protocols lies the significant security architecture difference between Chainlink CCIP and LayerZero. Chainlink had previously announced in April 2024 that CCIP had entered the comprehensive availability stage, supporting blockchains like Arbitrum, Base, BNB Chain, and Ethereum.

Chainlink CCIP deeply integrates a decentralized oracle network, comprised of multiple independent node operators forming an off-chain consensus layer to observe, validate, and report on cross-chain events. This is supplemented by an independent risk management network to provide additional monitoring and protection. Its token transfer mechanism includes built-in features such as rate limiting and time-lock upgrades, creating a defense-in-depth security model.

According to Dune data, the cumulative cross-chain token transfer amount of Chainlink CCIP has surpassed $2 billion. Among them, the decentralized stablecoins GHO and USDC hold the highest percentages, reaching 22.4% and 20.2% respectively, with corresponding amounts of approximately $531 million and $481 million.

In contrast, LayerZero adopts a highly modular five-layer architecture that fully separates interface, validation, and execution, allowing developers to custom-compose decentralized validation networks and configure validation thresholds. This design provides higher flexibility but requires applications to actively choose and maintain security configurations.

The KelpDAO incident highlighted fatal flaws in single-validator configurations, with protocols that had also opted for 1/1 configurations once dominating at 47%. This prompted many projects to swiftly pivot towards CCIP, which defaults to decentralized validation and offers more comprehensive security controls.

On May 9, LayerZero issued an apology, acknowledging mishandling of communication over the past three weeks, stating that a direct explanation of the situation should have been provided earlier instead of prioritizing post-mortem analysis reports.

LayerZero emphasized that the protocol itself was not compromised. It was the result of the toxic data source from an internal RPC used by LayerZero Labs DVN, coupled with external RPC providers facing DDoS attacks, which allowed Labs DVN to service high-value transactions as a 1/1-configured oracle—an egregious error. An official post-mortem analysis report will soon be released jointly with external security partners.