Since the KelpDAO cross-chain bridge suffered a $292 million attack in April this year, the security landscape of cross-chain infrastructure has undergone significant upheaval. According to statistics, approximately $4 billion in assets have either completed or are in the process of migrating from LayerZero to Chainlink’s Cross-Chain Interoperability Protocol (CCIP).
The attack occurred in the early hours of April 19, when the attacker called a function in the LayerZero Endpoint V2 contract, triggering the KelpDAO bridge contract to release approximately 116,500 rsETH, valued at around $292 million. The protocol’s emergency pause mechanism subsequently prevented an additional $100 million in losses.
Following the attack, LayerZero issued a statement indicating that the attacker was preliminarily assessed as a highly sophisticated state actor, suspected to be affiliated with North Korea’s Lazarus Group under the name TraderTraitor.
The attack technique centered on corrupting the RPC nodes that the LayerZero decentralized validator network relies on, and forcing a system failover to the compromised nodes via a DDoS attack, allowing forged messages to pass through. The central controversy of the incident was that KelpDAO was using a 1-of-1 single-validator configuration at the time, which, when exploited, resulted in a single point of failure.
LayerZero acknowledged that allowing its official verification network to service high-value transactions in a 1/1 configuration was a serious error and announced it will stop signing messages for single-verifier setups. KelpDAO noted that this configuration had previously appeared as the default in LayerZero’s deployment code. Regardless of how responsibility is assigned, this attack has exposed the vulnerability of cross-chain message verification under specific configurations.
A migration wave soon began; on May 6, the affected party KelpDAO announced it was abandoning LayerZero and fully transitioning its cross-chain infrastructure for rsETH to Chainlink CCIP, becoming the first major protocol to leave.
In two days, the Bitcoin staking protocol Solv Protocol will migrate its total $700 million-plus SolvBTC and xSolvBTC cross-chain infrastructure to CCIP, covering all supported chains.
On the same day, the decentralized reinsurance protocol Re migrated its reUSD deposit token cross-chain solution to CCIP and designated it as the sole cross-chain solution. The non-custodial lending protocol Tydro was also among the first to migrate.
On May 14, Kraken announced it would replace LayerZero with Chainlink CCIP as its exclusive cross-chain service for wrapped crypto assets, including wrapped Bitcoin (kBTC), covering multiple blockchains such as Ink, Ethereum, and Optimism. On the 16th, Lombard announced it would discontinue LayerZero and migrate over $1 billion in Bitcoin-backed assets to CCIP, using a burn-and-mint cross-chain token standard.
According to DefiLlama data, if we consider only the current total value locked (TVL) of major DeFi protocols, the combined size of the top five exceeds $3.4 billion. When including institutional wrapped assets, the overall migration scale reaches approximately $4 billion.
Coinbase selected CCIP as its exclusive interoperability provider for all its wrapped assets as early as December 2025, covering assets such as cbBTC, cbETH, cbDOGE, cbLTC, cbADA, and cbXRP, with a total market capitalization of approximately $7 billion at the time. In January 2024, Circle also integrated with CCIP to enable multi-chain transfers of USDC.
Market feedback on this trust transition is directly reflected in the token's price movement.
According to CoinMarketCap data, LINK has risen 2.73% over the past 30 days to $9.60, with a market capitalization of $6.98 billion, maintaining its position as the 16th largest asset in the crypto market. In contrast, ZRO has declined 22.63% over the same period to $1.34, with a market cap of $434 million, slipping to rank 92nd. LayerZero also faces additional pressure from the unlocking of over 25.71 million ZRO tokens on May 20, worth approximately $34.45 million, representing 5.07% of the circulating supply.
According to Dune data, the LayerZero network had a net outflow of approximately $2.01 billion over the past 30 days.
Behind the surge of protocols is a significant architectural difference between Chainlink CCIP and LayerZero in terms of security. Chainlink previously announced in April 2024 that CCIP had entered full availability, supporting blockchains such as Arbitrum, Base, BNB Chain, and Ethereum.
Chainlink CCIP is deeply integrated with a decentralized oracle network composed of multiple independent node operators that form an off-chain consensus layer to observe, verify, and report cross-chain events, supplemented by an independent risk management network for additional monitoring and protection. Its token transfer mechanism incorporates built-in rate limiting and time-locked upgrades, creating a defense-in-depth security model.
According to Dune data, the cumulative cross-chain token transfer volume on Chainlink CCIP has surpassed $2 billion. Decentralized stablecoins GHO and USDC account for the highest shares, at 22.4% and 20.2% respectively, equivalent to approximately $531 million and $481 million.
In contrast, LayerZero employs a highly modular five-layer architecture that fully separates interfaces, verification, and execution, allowing developers to combine decentralized verification networks and configure verification thresholds themselves. This design offers greater flexibility but requires applications to actively select and maintain their security configurations.
The KelpDAO incident brought to light the critical flaw of single-validator configurations, prompting numerous projects to quickly shift toward CCIP, which defaults to decentralized validation and offers more robust security controls—especially after protocols using the 1/1 configuration once accounted for as much as 47%.
LayerZero apologized on May 9, acknowledging that its communication over the past three weeks was mishandled and stating that it should have directly explained the situation earlier rather than prioritizing the post-event analysis report.
LayerZero emphasizes that the protocol itself was unaffected; the compromised data source was an internal RPC used by LayerZero Labs' DVN, while external RPC providers suffered DDoS attacks, allowing the Labs DVN to serve high-value transactions in a 1/1 configuration—a serious error. The official team will soon release a post-incident analysis report in collaboration with external security partners.