Since the cross-chain bridge of KelpDAO suffered an attack of approximately $292 million in April this year, the security landscape of cross-chain infrastructure has been undergoing a dramatic reshuffle. Statistics show that about $40 billion in assets have completed or are in the process of migrating from LayerZero to Chainlink's Cross-Chain Interoperability Protocol (CCIP).
The attack occurred in the early hours of April 19. The attacker invoked a function of the LayerZero Endpoint V2 contract, triggering the KelpDAO bridging contract to release approximately 116,500 rsETH, worth about $292 million. The protocol's emergency pause mechanism subsequently prevented further losses of around $100 million.
Following the attack, LayerZero issued a statement suggesting that the initial assessment pointed to a highly sophisticated state actor, suspected to be TraderTraitor, a subgroup of the North Korean Lazarus Group.
The core of the attack method involved poisoning the RPC nodes relied upon by the LayerZero decentralized validator network and forcing a system failover to already compromised nodes through a DDoS attack, allowing forged messages to pass through. The central point of controversy is that KelpDAO was using a 1-of-1 single validator configuration at the time, which, once exploited, led to a single point of failure.
LayerZero acknowledged that allowing its official validator network to service high-value transactions with a 1/1 configuration was a serious mistake and announced the cessation of signing messages for single validator setups. KelpDAO pointed out that this configuration had appeared as a default setting in LayerZero's deployment code. Regardless of where the responsibility lies, this attack exposed the vulnerability of cross-chain message verification under specific configurations.
A wave of migrations began shortly after. On May 6, the victim, KelpDAO, took the lead in announcing its abandonment of LayerZero, fully transitioning its rsETH cross-chain facilities to Chainlink CCIP, becoming the first major protocol to leave.
Two days later, the Bitcoin staking protocol Solv Protocol switched the cross-chain infrastructure for its SolvBTC and xSolvBTC, with a total value exceeding $700 million, to CCIP, covering all supported routes.
On the same day, the decentralized reinsurance protocol Re also migrated the cross-chain solution for its deposit token reUSD to CCIP, designating it as the sole cross-chain solution. The non-custodial lending protocol Tydro was also among the first batch to migrate.
On May 14, Kraken announced replacing LayerZero with Chainlink CCIP as the exclusive cross-chain service for its wrapped crypto assets, including wrapped Bitcoin kBTC, covering multiple blockchains such as Ink, Ethereum, and Optimism. On the 16th, Lombard announced abandoning LayerZero, migrating over $1 billion worth of Bitcoin-backed assets to CCIP, adopting a burn-and-mint cross-chain token standard.
According to DefiLlama data, if only counting the current total value locked (TVL) of the main DeFi protocols, the combined scale of these five exceeds $3.4 billion. Factoring in institutional wrapped assets, the overall migration scale reaches approximately $4 billion.
Coinbase had already chosen CCIP as the exclusive interoperability provider for all its wrapped assets as early as December 2025, covering assets like cbBTC, cbETH, cbDOGE, cbLTC, cbADA, and cbXRP, with a total market capitalization of about $7 billion at that time. In January 2024, Circle had also integrated with CCIP to support multi-chain transfers of USDC.
The market's reaction to this shift in trust was directly reflected in token price movements.
According to CoinMarketCap data, LINK has risen 2.73% over the past 30 days, trading at $9.6, with a market cap of $6.98 billion, steadily holding the 16th position in the crypto market. In contrast, ZRO fell 22.63% over the same period, trading at $1.34, with a market cap of $434 million, its ranking slipping to 92nd. LayerZero also faces additional pressure from the unlocking of over 25.71 million ZRO tokens on May 20, worth approximately $34.45 million, accounting for 5.07% of the circulating supply.
According to Dune data, the LayerZero network has seen a net outflow of approximately $2.01 billion over the past 30 days.
Behind the influx of protocols lies the significant difference in security architecture between Chainlink CCIP and LayerZero. Chainlink previously announced in April 2024 that CCIP had entered general availability, supporting blockchains like Arbitrum, Base, BNB Chain, and Ethereum.
Chainlink CCIP deeply integrates with the decentralized oracle network, consisting of multiple independent node operators forming an off-chain consensus layer to observe, verify, and report cross-chain events, supplemented by an independent risk management network providing additional monitoring and protection. Its token transfer mechanism includes built-in rate limiting and timelock upgrades, forming a defense-in-depth security model.
According to Dune data, the cumulative cross-chain token transfer value for Chainlink CCIP has exceeded $2 billion. Among them, the decentralized stablecoin GHO and USDC have the highest shares, reaching 22.4% and 20.2%, respectively, corresponding to amounts of approximately $531 million and $481 million.
In contrast, LayerZero employs a highly modular five-layer architecture, completely separating interfaces, validation, and execution, allowing developers to freely combine decentralized validator networks and configure validation thresholds. This design offers high flexibility but also requires application parties to actively choose and maintain security configurations.
The KelpDAO incident cast a spotlight on the fatal flaw of the single validator configuration. Protocols that had chosen the 1/1 configuration at the time accounted for as much as 47%, prompting many projects to quickly turn to CCIP, which defaults to decentralized validation and offers more comprehensive security controls.
On May 9, LayerZero published a letter of apology, acknowledging mishandling communication over the past three weeks and stating that it should have directly explained the situation earlier rather than prioritizing the completion of a post-mortem analysis report.
LayerZero emphasized that the protocol itself was not affected; rather, the internal RPC used by the LayerZero Labs DVN was poisoned by a data source, while external RPC providers suffered DDoS attacks. It admitted that allowing the Labs DVN to service high-value transactions as a 1/1 configuration was a serious error. The official team will soon release an official post-mortem analysis report in collaboration with external security partners.
