When the wall falls, everyone abandons it? A $292 million vulnerability triggers a major reshuffle in cross-chain protocols.

Written by: Nicky, Foresight News

Since the KelpDAO cross-chain bridge suffered an attack of approximately $292 million in April this year, the security landscape of cross-chain infrastructure has been undergoing a dramatic overhaul. Statistics show that about $4 billion in assets have completed or are in the process of migrating from LayerZero to Chainlink's Cross-Chain Interoperability Protocol (CCIP).

The attack occurred in the early hours of April 19, when the attacker invoked a function of the LayerZero Endpoint V2 contract, triggering the KelpDAO bridging contract to release approximately 116,500 rsETH, valued at about $292 million. An emergency pause mechanism in the protocol subsequently prevented about $100 million in further losses.

Following the attack, LayerZero released a statement indicating that preliminary assessments identified the attacker as a highly sophisticated state actor, suspected to be linked to North Korea's Lazarus Group subsidiary TraderTraitor. The crux of the attack method involved contaminating the RPC nodes on which the LayerZero decentralized validator network relies, and through DDoS attacks forcing the system to failover to already compromised nodes, allowing forged messages to pass through. The central point of contention in the incident was that KelpDAO had employed a 1-of-1 single validator configuration at that time, a configuration that was exploited, leading to a single point of failure.

LayerZero admitted that allowing its official validation network to service high-value transactions with a 1/1 configuration was a serious mistake and announced the discontinuation of messages signed for single validators. KelpDAO pointed out that this configuration had previously appeared as the default setting in LayerZero's deployment code. Regardless of how responsibility is assigned, this attack exposed the vulnerabilities in cross-chain message validation under certain configurations.

A wave of migration followed swiftly; on May 6, the victim, KelpDAO, was the first to announce abandonment of LayerZero, fully transitioning the cross-chain facility for rsETH to Chainlink CCIP, becoming the first major protocol to leave. Two days later, the Bitcoin staking protocol Solv Protocol switched its cross-chain infrastructure for SolvBTC and xSolvBTC, which have a total scale exceeding $700 million, to CCIP, covering all supported links.

On the same day, the decentralized reinsurance protocol Re also migrated the cross-chain solution for its deposit token reUSD to CCIP, designating it as the sole cross-chain solution. The non-custodial lending protocol Tydro also made it onto the initial migration list.

On May 14, Kraken announced it would replace LayerZero with Chainlink CCIP as its exclusive cross-chain service for wrapped crypto assets including wrapped Bitcoin kBTC, covering multiple blockchains such as Ink, Ethereum, and Optimism. On the 16th, Lombard announced it would abandon LayerZero, migrating over $1 billion in Bitcoin-backed assets to CCIP, utilizing a cross-chain token standard that involves burning and minting.

According to DefiLlama data, if only the current total locked value of major DeFi protocols is counted, the scale of the five has reached over $3.4 billion, combined with institutional wrapped assets, the total migration scale is approximately $4 billion.

Coinbase had already chosen CCIP as its exclusive interoperability provider for all its wrapped assets back in December 2025, covering cbBTC, cbETH, cbDOGE, cbLTC, cbADA, and cbXRP, with a total market capitalization of about $7 billion at that time. In January 2024, Circle had already integrated with CCIP to support multi-chain transfers of USDC.

The market's response to this trust migration is directly reflected in token performance. According to CoinMarketCap data, LINK has risen 2.73% in the past 30 days, reporting $9.6 and a market cap of $6.98 billion, maintaining its position as the 16th in the crypto market; in contrast, ZRO saw a decline of 22.63% during the same period, reporting $1.34 and a market cap of $434 million, dropping to the 92nd place. LayerZero also faces additional pressure from over 25.71 million ZRO tokens being unlocked on May 20, valued at approximately $34.45 million, accounting for 5.07% of the circulating supply.

According to Dune data, there has been a net outflow of approximately $2.01 billion from the LayerZero network in the past 30 days.

A large influx of protocols is driven by the significant differences in security architecture between Chainlink CCIP and LayerZero. Chainlink announced in April 2024 that CCIP had entered a fully available phase, supporting blockchains like Arbitrum, Base, BNB Chain, and Ethereum.

Chainlink CCIP is deeply integrated with a decentralized oracle network, comprised of multiple independent node operators that form an off-chain consensus layer, observing, validating, and reporting cross-chain events, supplemented by an independent risk management network for additional monitoring and protection. Its token transfer mechanism includes built-in rate limiting and time-lock upgrades, forming a defense-in-depth security model.

According to Dune data, the cumulative token transfer amount of Chainlink CCIP has surpassed $2 billion. Among them, decentralized stablecoins GHO and USDC account for the highest proportion, reaching 22.4% and 20.2%, corresponding to amounts of approximately $531 million and $481 million, respectively.

In contrast, LayerZero employs a highly modular five-layer architecture, completely separating the interface, validation, and execution, allowing developers to independently assemble decentralized validation networks and configure validation thresholds. This design offers greater flexibility but also requires applications to actively choose and maintain secure configurations. The KelpDAO incident placed the fatal flaw of single-validator configuration in the spotlight, as protocols that similarly chose a 1/1 configuration once accounted for as much as 47%, prompting numerous projects to quickly turn towards CCIP, which has decentralized validation as the default option and more comprehensive security controls.

LayerZero issued an apology on May 9, admitting improper handling of communication over the past three weeks, stating that it should have directly explained the situation much earlier rather than prioritizing the completion of a post-analysis report. LayerZero emphasized that the protocol itself was not affected, and that it was the internal RPC used by LayerZero Labs DVN that was contaminated, while external RPC providers suffered DDoS attacks, allowing Labs DVN to service high-value transactions with a 1/1 configuration, which was a serious error. The official team will soon release a post-analysis report in collaboration with external security partners.