Every major security crisis is a redistribution of liquidity and discourse power.

Written by: Nancy, PANews

As several leading protocols provide funds to quickly fill the capital gap and advance on-chain repairs, the rescue efforts for the Kelp DAO attack incident have recently made substantial progress. However, compared to the repair of financial resources, regaining market trust remains a more challenging task.

LayerZero, a prominent cross-chain leader at the center of this vortex, is facing accelerated withdrawals from numerous protocols and has been forced to change its stance dramatically in just a few weeks, from initially shifting blame to now publicly apologizing and initiating rectification. Meanwhile, Chainlink has surprisingly benefited from this crisis, as its CCIP protocol has received a significant amount of migrating liquidity, with on-chain data showing a clear increase.

30 billion dollars migrated in a single week, Chainlink reaps safety dividends

As the largest DeFi security incident of 2026 to date, the Kelp DAO attack has accelerated the migration of on-chain liquidity.

As the security controversy surrounding LayerZero continues to escalate, more and more DeFi protocols are reevaluating cross-chain risks and actively seeking more reliable refuges. In the past week, Chainlink has announced multiple migration cases.

On May 9, Chainlink officially disclosed that four protocols, including Kelp DAO, Solv Protocol, Re, and Tydro, have recently abandoned their original cross-chain bridge or oracle solutions in favor of migrating to Chainlink CCIP, with the total TVL of the related protocols exceeding 3 billion dollars. The official even added a tagline, "The Great Migration," to hype this ecological shift, adding to the tension.

This wave of migration is driven by a realignment around security.

In addition to DeFi protocols that have realigned due to security concerns, Chainlink has also been continuously gaining favor from traditional financial institutions and crypto projects in recent months.

In March, Coinbase became the first to directly bring its exchange market data on-chain through Chainlink's newly launched DataLink service; Europe’s largest asset management institution Amundi partnered with Spiko to launch a tokenized public fund based on Chainlink.

In April, OpenAssets reached a strategic partnership with Chainlink to launch asset tokenization infrastructure solutions for institutions; European major stock exchange operator SIX Group collaborated with Chainlink to promote the on-chain data for Swiss and Spanish stock markets; Chainlink data services were listed on AWS Marketplace, connecting traditional cloud and blockchain.

In May, the Depository Trust & Clearing Corporation (DTCC) announced the introduction of Chainlink to build a blockchain collateral management platform aimed at achieving near real-time settlement around the clock; Huma Finance partnered with Chainlink to introduce institutional-grade yield products into a multi-chain ecosystem.

As the ecosystem continues to expand, the on-chain activity of Chainlink has also significantly increased. According to Santiment monitoring, the number of unique active addresses for Chainlink broke through 282,000 and 264,000 on May 9 and 10 respectively, reaching the highest record since September 2025, which is primarily driven by the recent large-scale migration of DeFi protocols.

At the same time, Chainlink's official data shows that its cross-chain token's total value has exceeded 61.8 billion dollars, with CCIP transaction volume reaching 19.5 billion dollars.

Market confidence is also reflected in the changes in LINK token holdings. According to Santiment monitoring at the beginning of this month, in the past month, whale and shark addresses holding between 100,000 and 10 million LINK have cumulatively increased their holdings by 32.93 million LINK. Historically, this usually indicates a strong bullish signal. In the past 30 days, LINK has risen by about 19.7%.

LayerZero faces a trust crisis, official emergency apology and rectification

Currently, LayerZero is caught in a trust crisis.

According to DefiLlama data, LayerZero's current weekly Bridge transaction volume has dropped to about 470 million dollars, approaching historical lows. This attack incident has caused LayerZero to undergo a trust crisis.

At the beginning of the hacker incident, Kelp DAO had blamed this vulnerability attack on LayerZero's security issues. Subsequently, LayerZero quickly denied responsibility, claiming that Kelp DAO's multiple accusations regarding the rsETH security incident were completely unfounded.

However, the controversy did not subside as a result. Last week, Bryan Pellegrino, co-founder and CEO of LayerZero Labs, had a heated argument with several security researchers in the ETHSecurity Community Telegram group.

The focus of the controversy is that LayerZero Labs could immediately upgrade the default library contract without a time lock, theoretically allowing the forgery of cross-chain messages, which exposed over 3 billion dollars' worth of LZ OFT assets to potential risks in recent times. Security researcher Banteg pointed out that some mainstream projects, including Ethena and EtherFi, were still using this default library weeks ago, and approximately 178 million dollars' worth of assets remain at risk.

Meanwhile, on-chain data also showed that LayerZero's multi-signature address had engaged in meme coin trading, DEX swaps, and cross-chain bridging, which are unrelated to the multi-signature responsibilities, further raising community concerns over key security. In response, Bryan acknowledged that the related actions were indeed performed by multi-signature team members but denied that they were "meme coin speculative trades," asserting that the purpose was to "test the PEPE OFT functionality," and stated that the relevant members have been removed.

To mitigate risks, Bryan also publicly suggested that projects quickly adopt "fixed configurations" instead of default settings. Subsequently, Banteg released a list of LayerZero projects still using the default library contracts and called for relevant protocols to migrate as soon as possible.

This statement quickly sparked industry discussions and doubts. Chainlink's strategic director Zach Rynes criticized LayerZero Labs in a post, stating that their multi-signature key had long had serious OPSEC (operational security) failures, directly exposing the security risks of billions of dollars in OFT assets. He further mentioned that if LayerZero and the industry had truly heeded the warnings from security researchers over the past few years, such attack incidents could have been completely avoided.

In the face of market opinion and the ongoing bleeding of the ecosystem, LayerZero showed a clear change in attitude. On May 9, LayerZero officially released a public apology statement, addressing issues from the past three weeks of security incidents and communication problems.

LayerZero Labs stated that its internal RPC had been attacked by the Lazarus Group in the past three weeks, causing damage to the integrity of its DVN (Decentralized Verification Network), while an external RPC provider faced DDoS attacks. This incident only affected 0.14% of applications and approximately 0.36% of asset value, and the LayerZero protocol itself was unaffected, with over 9 billion dollars' worth of assets continuing to flow across chains normally after the incident.

However, LayerZero Labs also admitted for the first time that previously allowing DVN to provide security for high-value transactions with a "1/1" single-node configuration posed a single point of failure risk, for which they bear management oversight responsibility. The official also disclosed that three and a half years ago, a multi-signature signer had mistakenly used the multi-signature hardware wallet for personal transactions, and that signer has since been removed and the relevant wallet has been rotated.

Regarding subsequent rectification, LayerZero Labs announced a series of security upgrade measures, including ceasing to provide services for the 1/1 DVN configuration, migrating all path default configurations to a 5/5 multi-signature setup, with a minimum of no less than 3/3; developed a second DVN client based on Rust to achieve client diversity; launched a dedicated multi-signature tool OneSig to enhance signing security; and launched a unified management platform Console for asset issuance configuration and abnormal behavior detection.

In addition, LayerZero also invested more than 10,000 ETH in this DeFi United rescue operation, of which 5,000 ETH will be used for the fund and the remaining 5,000 ETH will be reserved for Aave.

Despite the escalating controversies, LayerZero has not completely lost the market. Key assets such as Ethena's USDe product, EtherFi's weETH asset, and BitGo's WBTC are still continuing to use LayerZero's OFT standard.

Every major security crisis is a redistribution of liquidity and discourse power. As the crypto industry gradually moves towards mainstream financial markets, the market's standards for assessing underlying infrastructure will become increasingly stringent, and security capability is becoming one of the core competitive advantages.