Author: Nancy, PANews

With several major protocols providing support, quickly filling funding gaps and advancing on-chain repairs, the rescue efforts for the Kelp DAO attack incident have recently made substantial progress. However, compared to repairs in the financial aspect, restoring market trust remains more challenging.

At the center of this turmoil, the cross-chain leader LayerZero is facing a rapid withdrawal of several protocols and has been forced to make a sharp turnaround in attitude within just a few weeks, from initially shifting blame to now publicly apologizing and initiating rectifications. Meanwhile, Chainlink unexpectedly emerged as a beneficiary of this crisis, as its CCIP protocol accommodated a large amount of migrating liquidity, leading to a noticeable increase in on-chain data.

Receiving $3 billion in migration in a single week, Chainlink reaps safety dividends

As the largest DeFi security event of 2026 so far, the Kelp DAO attack incident has accelerated the migration of on-chain liquidity.

With the ongoing security controversies surrounding LayerZero, more and more DeFi protocols are reassessing cross-chain risks and actively seeking more reliable safe havens. In the past week, Chainlink has intensively announced several migration cases.

On May 9th, Chainlink officially disclosed that four protocols, including Kelp DAO, Solv Protocol, Re, and Tydro, have recently abandoned their previous cross-chain bridge or oracle solutions in favor of migrating to Chainlink CCIP, with a total TVL exceeding $3 billion. The official even accompanied it with the phrase “The Great Migration” to hype this ecological transition, which is quite provocative.

This migration wave is rooted in a re-alignment around security.

In addition to DeFi protocols realigning due to security concerns, Chainlink has also been continuously gaining favor from traditional financial institutions and crypto projects in recent months.

In March this year, Coinbase directly linked its exchange market data on-chain for the first time through Chainlink's newly launched DataLink service; Europe's largest asset management institution, Amundi, partnered with Spiko to launch a tokenized public fund based on Chainlink.

In April, OpenAssets reached a strategic cooperation with Chainlink to launch asset tokenization infrastructure solutions for institutions; Europe's major stock exchange operator SIX Group partnered with Chainlink to bring Swiss and Spanish stock market data on-chain; the AWS Marketplace launched Chainlink data services, connecting traditional cloud and blockchain.

In May, the U.S. Depository Trust & Clearing Corporation (DTCC) announced it would adopt Chainlink to build a blockchain collateral management platform, aiming for near real-time settlement around the clock; Huma Finance partnered with Chainlink to bring institutional-grade yield products into a multi-chain ecosystem.

With the continuous expansion of the ecosystem, Chainlink's on-chain activity has also noticeably increased. According to Santiment monitoring, the number of unique active addresses for Chainlink on May 9th and 10th exceeded 282,000 and 264,000 respectively, breaking records since September 2025, and it pointed out that this was mainly influenced by the recent large-scale migration of DeFi protocol infrastructure.

At the same time, Chainlink's official data shows that the total value of its cross-chain tokens has exceeded $61.8 billion, with CCIP transaction volumes reaching $19.5 billion.

Market confidence is also reflected in the changes in LINK token holdings. According to monitoring by Santiment earlier this month, in the past month, addresses holding 100,000 to 10 million LINK tokens have accumulated an additional 32.93 million LINK. Based on historical patterns, this usually signals a strong bullish trend. In the past 30 days, LINK has risen about 19.7%.

LayerZero faces a trust crisis, official emergency apology and rectification

Currently, LayerZero is in the midst of a trust crisis.

According to data from DefiLlama, LayerZero's current weekly bridge transaction volume has dropped to about $470 million, approaching historic lows. This attack incident has led LayerZero to experience a trust crisis.

In the early stages of the hacker incident, Kelp DAO attributed the vulnerability attack to LayerZero's security issues. Subsequently, LayerZero quickly denied responsibility, stating that multiple accusations by Kelp DAO regarding the rsETH security incident were completely unfounded.

However, the controversy did not abate as a result. Last week, LayerZero Labs co-founder and CEO Bryan Pellegrino had a heated debate with several security researchers in the ETHSecurity Community Telegram group.

The point of contention centered around LayerZero Labs' ability to immediately upgrade the default library contract without a time lock, which theoretically allows for the spoofing of cross-chain messages, thus exposing over $3 billion worth of LZ OFT assets to potential risks over the past period. Security researcher Banteg pointed out that some mainstream projects, including Ethena and EtherFi, were still using this default library weeks ago, and about $178 million worth of assets remain at risk.

Meanwhile, on-chain data also shows that LayerZero's multi-signature addresses have engaged in meme coin transactions, DEX swaps, and cross-chain bridging operations, which are unrelated to multi-sig responsibilities, further raising community concerns about key security. In response, Bryan admitted that such operations were indeed carried out by multi-sig team members but denied that they constituted “speculative trades in meme coins,” claiming their purpose was merely to “test the PEPE OFT functionality” and stating that relevant members have been removed.

To mitigate risks, Bryan publicly suggested that project parties quickly adopt “fixed configurations” instead of the default configurations. Subsequently, Banteg also released a list of LayerZero projects still using the default library contract and called for relevant protocols to migrate as soon as possible.

These remarks quickly sparked industry discussions and doubts. Chainlink's strategic director Zach Rynes criticized LayerZero Labs, stating that its multi-sig keys have for a long time exhibited serious OPSEC (operational security) errors, directly exposing the safety risks of billions of dollars worth of OFT assets. He further stated that if LayerZero and the industry had genuinely heeded the warnings issued by security researchers over the past few years, such attack incidents could have been completely avoided.

In the face of market opinion and continued bleeding within the ecosystem, LayerZero's attitude has undergone a noticeable shift. On May 9th, LayerZero officially issued a public apology statement in response to the security incidents and communication issues over the past three weeks.

LayerZero Labs stated that its internal RPC had been attacked by the Lazarus Group over the past three weeks, causing damage to the true source of its DVN (Decentralized Validation Network), while external RPC providers faced DDOS attacks. This incident only affected 0.14% of applications and about 0.36% of asset value, and the LayerZero protocol itself was unaffected, with over $9 billion worth of assets still flowing across chains after the incident.

However, LayerZero Labs also admitted for the first time that allowing DVN to provide security guarantees for high-value transactions with a "1/1" single-node configuration posed a single-point failure risk, for which it bears management oversight responsibility. The official also disclosed that a multi-signature signer had mistakenly used a multi-signature hardware wallet for personal transactions three and a half years ago and that this signer has been removed, with the relevant wallet completed rotation.

Regarding subsequent rectifications, LayerZero Labs announced a series of security upgrade measures, including stopping services for the 1/1 DVN configuration and migrating all path default configurations to 5/5 multi-signature, with a minimum not lower than 3/3; developing a second DVN client based on Rust to achieve client diversity; launching a dedicated multi-signature tool, OneSig, to enhance signature security; and launching a unified management platform, Console, for asset issuance configuration and anomaly detection.

Additionally, LayerZero has invested over 10,000 ETH in this DeFi United rescue operation, with 5,000 ETH allocated for the fund and another 5,000 ETH reserved for Aave.

Despite the ongoing controversies, LayerZero has not completely lost the market. Major assets, including Ethena's USDe product, EtherFi's weETH asset, and BitGo's WBTC, continue to utilize LayerZero's OFT standard.

Each major security crisis represents a redistribution of liquidity and influence. As the crypto industry gradually moves towards the mainstream financial market, the criteria for evaluating underlying infrastructure will become increasingly stringent, with security capabilities becoming one of the core competitive advantages.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。