Is everyone abandoning it when it falls? A $292 million vulnerability triggers a major reshuffle of cross-chain protocols.

Written by: Nicky, Foresight News

Since the KelpDAO cross-chain bridge suffered a $292 million attack in April this year, the security landscape of cross-chain infrastructure is undergoing a dramatic reshuffle. According to statistics, approximately $4 billion in assets have been completed or are in the process of migrating from LayerZero to Chainlink's Cross-Chain Interoperability Protocol (CCIP).

The attack occurred in the early morning of April 19th. The attacker invoked a function in the LayerZero Endpoint V2 contract, triggering the KelpDAO bridge contract to release approximately 116,500 rsETH, worth about $292 million. The protocol's emergency suspension mechanism subsequently prevented further losses of approximately $100 million.

Following the attack, LayerZero issued a statement saying that preliminary assessments indicated the attackers were highly sophisticated state actors, suspected to be TraderTraitor, a subsidiary of North Korea's Lazarus Group. The core of the attack involved poisoning the RPC nodes upon which LayerZero's decentralized validator network relied, and then using a DDoS attack to force a failover to the compromised nodes, allowing forged messages to pass through. The central point of contention is that KelpDAO employed a 1-of-1 single validator configuration at the time, which, when exploited, created a single point of failure.

LayerZero acknowledged that allowing its official validator network to serve high-value transactions in a 1/1 configuration was a serious mistake and announced it would stop setting up signed messages for single validators. KelpDAO, however, pointed out that this configuration had appeared as the default setting in LayerZero's deployment code. Regardless of who is responsible, this attack exposed the vulnerability of cross-chain message verification under certain configurations.

The migration wave then began. On May 6, KelpDAO, one of the affected parties, was the first to announce its abandonment of LayerZero, migrating its rsETH cross-chain infrastructure entirely to Chainlink CCIP, becoming the first major protocol to leave. Two days later, the Bitcoin staking protocol Solv Protocol switched its SolvBTC and xSolvBTC cross-chain infrastructure, totaling over $700 million, to CCIP, covering all supported chains.

On the same day, the decentralized reinsurance protocol Re also migrated its cross-chain solution for the deposit token reUSD to CCIP, designating it as the sole cross-chain solution. The non-custodial lending protocol Tydro was also among the first to migrate.

On May 14, Kraken announced that it would replace LayerZero with Chainlink CCIP as its exclusive cross-chain service for encapsulating crypto assets, including Bitcoin (kBTC), covering multiple blockchains such as Ink, Ethereum, and Optimism. On May 16, Lombard announced that it would abandon LayerZero and migrate over $1 billion worth of Bitcoin-backed assets to CCIP, adopting a cross-chain token standard of burning and minting.

According to DefiLlama data, if only the current total value locked in major DeFi protocols is counted, the combined value of the five protocols exceeds $3.4 billion. When institutional encapsulation assets are added, the overall migration scale is in the range of approximately $4 billion.

Coinbase selected CCIP as its exclusive interoperability provider for all its wrapped assets back in December 2025, covering assets such as cbBTC, cbETH, cbDOGE, cbLTC, cbADA, and cbXRP, with a total market capitalization of approximately $7 billion at the time. In January 2024, Circle also integrated with CCIP to support multi-chain transfers of USDC.

The market's reaction to this trust shift is directly reflected in token price movements. According to CoinMarketCap data, LINK has risen 2.73% in the past 30 days, closing at $9.6, with a market capitalization of $6.98 billion, firmly holding its 16th position in the crypto market. In contrast, ZRO has fallen 22.63% during the same period, closing at $1.34, with a market capitalization of $434 million, dropping to 92nd place. LayerZero also faces additional pressure from the unlocking of over 25.71 million ZRO tokens on May 20th, worth approximately $34.45 million, representing 5.07% of the circulating supply.

According to Dune data, the LayerZero network has seen a net outflow of approximately $2.01 billion in the past 30 days.

Behind the influx of protocols lies the significant difference in security architecture between Chainlink CCIP and LayerZero. Chainlink previously announced in April 2024 that CCIP had entered a fully available phase, supporting blockchains such as Arbitrum, Base, BNB Chain, and Ethereum.

Chainlink CCIP deeply integrates a decentralized oracle network, consisting of an off-chain consensus layer comprised of multiple independent node operators. This layer observes, verifies, and reports cross-chain events, supplemented by an independent risk management network for additional monitoring and protection. Its token transfer mechanism incorporates features such as rate limiting and time-lock upgrades, forming a defense-in-depth security model.

According to Dune data, the cumulative cross-chain token transfer amount of Chainlink CCIP has exceeded $2 billion. Among them, decentralized stablecoins GHO and USDC accounted for the largest share, reaching 22.4% and 20.2% respectively, corresponding to approximately $531 million and $481 million.

In contrast, LayerZero employs a highly modular five-layer architecture, completely separating the interface, verification, and execution, allowing developers to customize decentralized verification networks and configure verification thresholds. This design offers greater flexibility but also requires applications to actively choose and maintain security configurations. The KelpDAO incident brought the fatal flaws of single-validator configurations into the spotlight; at the time, protocols using the same 1/1 configuration accounted for as much as 47%, prompting many projects to quickly shift to CCIP, which uses decentralized verification as the default option and offers more comprehensive security controls.

LayerZero issued an apology on May 9th, acknowledging mishandling of communication over the past three weeks. They stated they should have explained the situation more directly earlier rather than prioritizing the completion of the post-incident analysis report. LayerZero emphasized that the protocol itself was not affected; the problem lay with the internal RPC used by LayerZero Labs DVN, which had its data source poisoned, while the external RPC provider suffered a DDoS attack. Allowing Labs DVN to be used as a 1/1 configuration service for high-value transactions was a serious mistake. An official post-incident analysis report will be released soon in collaboration with external security partners.