Original title: LayerZero suffers cross-chain crisis, losing $4 billion in assets; Chainlink becomes the main "beneficiary"? Original author: Nicky, Foresight News
Since the KelpDAO cross-chain bridge suffered a $292 million attack in April this year, the security landscape of cross-chain infrastructure is undergoing a dramatic reshuffle. According to statistics, approximately $4 billion in assets have been completed or are in the process of migrating from LayerZero to Chainlink's Cross-Chain Interoperability Protocol (CCIP).
The attack occurred in the early morning of April 19th. The attacker invoked a function in the LayerZero Endpoint V2 contract, triggering the KelpDAO bridge contract to release approximately 116,500 rsETH, worth about $292 million. The protocol's emergency suspension mechanism subsequently prevented further losses of approximately $100 million.
Following the attack, LayerZero issued a statement saying that preliminary assessments indicate the attackers were highly sophisticated state actors, suspected to be TraderTraitor, a subsidiary of North Korea's Lazarus Group.
The core of the attack lies in polluting the RPC nodes on which the LayerZero decentralized validator network relies, and then using a DDoS attack to force a failover to the compromised nodes, allowing forged messages to pass through. The central point of contention is that KelpDAO used a 1-of-1 single validator configuration at the time, which, when exploited, created a single point of failure.
LayerZero acknowledged that allowing its official validator network to serve high-value transactions in a 1/1 configuration was a serious mistake and announced it would stop setting up signed messages for single validators. KelpDAO, however, pointed out that this configuration had appeared as the default setting in LayerZero's deployment code. Regardless of who is responsible, this attack exposed the vulnerability of cross-chain message verification under certain configurations.
The migration wave then began. On May 6, KelpDAO, the victim, took the lead in announcing its abandonment of LayerZero and its complete migration of rsETH's cross-chain facilities to Chainlink CCIP, becoming the first major protocol to leave.
Two days later, the Bitcoin staking protocol Solv Protocol switched its SolvBTC and xSolvBTC cross-chain infrastructure, totaling over $700 million, to CCIP, covering all supported chains.
On the same day, the decentralized reinsurance protocol Re also migrated its cross-chain solution for the deposit token reUSD to CCIP, designating it as the sole cross-chain solution. The non-custodial lending protocol Tydro was also among the first to migrate.
On May 14, Kraken announced that it would replace LayerZero with Chainlink CCIP as its exclusive cross-chain service for encapsulating crypto assets, including Bitcoin (kBTC), covering multiple blockchains such as Ink, Ethereum, and Optimism. On May 16, Lombard announced that it would abandon LayerZero and migrate over $1 billion worth of Bitcoin-backed assets to CCIP, adopting a cross-chain token standard of burning and minting.
According to DefiLlama data, if only the current total value locked in major DeFi protocols is counted, the combined value of the five protocols exceeds $3.4 billion. When institutional encapsulation assets are added, the overall migration scale is in the range of approximately $4 billion.
Coinbase selected CCIP as its exclusive interoperability provider for all its wrapped assets back in December 2025, covering assets such as cbBTC, cbETH, cbDOGE, cbLTC, cbADA, and cbXRP, with a total market capitalization of approximately $7 billion at the time. In January 2024, Circle also integrated with CCIP to support multi-chain transfers of USDC.
The market's response to this shift in trust is directly reflected in the token's price movement.
According to CoinMarketCap data, LINK has risen 2.73% in the past 30 days, closing at $9.6, with a market capitalization of $6.98 billion, maintaining its 16th position in the crypto market. In contrast, ZRO has fallen 22.63% during the same period, closing at $1.34, with a market capitalization of $434 million, dropping to 92nd place. LayerZero also faces additional pressure from the unlocking of over 25.71 million ZRO tokens on May 20th, worth approximately $34.45 million, representing 5.07% of the circulating supply.
According to Dune data, the LayerZero network has seen a net outflow of approximately $2.01 billion in the past 30 days.
Behind the influx of protocols lies the significant difference in security architecture between Chainlink CCIP and LayerZero. Chainlink previously announced in April 2024 that CCIP had entered a fully available phase, supporting blockchains such as Arbitrum, Base, BNB Chain, and Ethereum.
Chainlink CCIP deeply integrates a decentralized oracle network, consisting of an off-chain consensus layer comprised of multiple independent node operators. This layer observes, verifies, and reports cross-chain events, supplemented by an independent risk management network for additional monitoring and protection. Its token transfer mechanism incorporates features such as rate limiting and time-lock upgrades, forming a defense-in-depth security model.
According to Dune data, the cumulative cross-chain token transfer amount of Chainlink CCIP has exceeded $2 billion. Among them, decentralized stablecoins GHO and USDC accounted for the largest share, reaching 22.4% and 20.2% respectively, corresponding to approximately $531 million and $481 million.
In contrast, LayerZero employs a highly modular five-layer architecture, completely separating the interface, verification, and execution, allowing developers to customize decentralized verification networks and configure verification thresholds. This design offers greater flexibility but also requires applications to actively select and maintain security configurations.
The KelpDAO incident brought the fatal flaws of the single validator configuration into the spotlight. At the time, protocols that also chose the 1/1 configuration accounted for as much as 47%, which prompted many projects to quickly switch to CCIP, which has decentralized verification as the default option and more complete security controls.
LayerZero issued an apology on May 9, admitting that it had mishandled communication over the past three weeks and stated that it should have explained the situation directly earlier rather than prioritizing the completion of the post-analysis report.
LayerZero emphasizes that the protocol itself was not affected; the internal RPC used by LayerZero Labs DVN was poisoned, and the external RPC provider suffered a DDoS attack. Allowing Labs DVN to perform high-value transactions as a 1/1 configuration service was a serious mistake. An official post-incident analysis report will be released soon in conjunction with external security partners.
Original link
Click to learn about BlockBeats' job openings.
Welcome to the official BlockBeats community:
Telegram subscription group:https://t.me/theblockbeats
Telegram group:https://t.me/BlockBeats_App
Official Twitter account:https://twitter.com/BlockBeatsAsia
