3B美元 DeFi 資金大遷徙：LayerZero 跌倒，Chainlink 吃飽

Author: Nancy, PANews

As several top protocols exit to inject liquidity, quickly filling the funding gap and advancing on-chain recovery, the rescue efforts for the Kelp DAO attack have recently made tangible progress. But compared to the financial repairs, what’s even harder to restore is market trust.
At the center of this whirlpool, cross-chain leader LayerZero is facing many protocols accelerating their departure and has been forced to change its stance rapidly within just a few weeks, from initially shifting blame to now publicly apologizing and launching reforms. Meanwhile, Chainlink unexpectedly became a beneficiary of this crisis, with its CCIP protocol taking on a large amount of migrated liquidity, leading to a noticeable growth in on-chain data.
$3B migrated in one week, Chainlink reaps security dividends
As the largest DeFi security incident since 2026, the Kelp DAO attack has accelerated the migration of on-chain liquidity.
With LayerZero’s security controversy continuing to ferment, more DeFi protocols are reevaluating cross-chain risks and actively seeking more reliable safe havens. Over the past week, Chainlink has announced multiple migration cases.
On May 9, Chainlink officially revealed that four protocols, including Kelp DAO, Solv Protocol, Re, and Tydro, have recently abandoned their original cross-chain bridges or oracle solutions and migrated to Chainlink CCIP, with a total TVL exceeding $3 billion. The official even used the phrase “The Great Migration” to hype this ecosystem shift, with a very intense tone.
Behind this migration wave is a re-alignment around security.
In addition to DeFi protocols re-aligning due to security concerns, Chainlink has also continued to gain favor from traditional financial institutions and crypto projects in recent months.
In March this year, Coinbase used Chainlink’s newly launched DataLink service to directly upload its exchange market data on-chain for the first time; Europe’s largest asset management firm Amundi partnered with Spiko to launch a Chainlink-based tokenized public offering fund.
In April, OpenAssets reached a strategic partnership with Chainlink to provide infrastructure for institutional asset tokenization; major European stock exchange operator SIX Group collaborated with Chainlink to push Swiss and Spanish stock market data on-chain; AWS Marketplace launched Chainlink data services, connecting traditional cloud and blockchain.
In May, the US Depository Trust & Clearing Corporation (DTCC) announced the adoption of Chainlink to build a blockchain collateral management platform aimed at achieving near real-time settlement 24/7; Huma Finance partnered with Chainlink to bring institutional-grade yield products into the multi-chain ecosystem.
As the ecosystem continues to expand, Chainlink’s on-chain activity has also significantly increased. According to Santiment monitoring, on May 9 and 10, the number of independent active addresses on Chainlink broke 282k and 264k respectively, hitting the highest levels since September 2025, mainly driven by recent large-scale infrastructure migrations of DeFi protocols.

Meanwhile, Chainlink’s official data shows that its total cross-chain token value has exceeded $61.8 billion, with CCIP trading volume reaching $19.5 billion.
Market confidence is also reflected in the holdings of LINK tokens. According to Santiment’s early-month monitoring, over the past month, whale and shark addresses holding between 100k and 10 million LINK have collectively increased their holdings by 32.93 million LINK. Historically, this is often seen as a strong bullish signal. Over the past 30 days, LINK has risen approximately 19.7%.
LayerZero faces a trust crisis, with officials issuing urgent apologies and reforms
Currently, LayerZero is embroiled in a trust crisis.
According to DefiLlama data, LayerZero’s weekly bridge transaction volume has fallen to about $470 million, approaching a historical low. This attack has caused LayerZero to undergo a trust crisis.

In the early stages of the hacker incident, Kelp DAO blamed LayerZero’s security issues for the vulnerability attack. Subsequently, LayerZero quickly denied responsibility, stating that Kelp DAO’s multiple accusations related to the rsETH security incident were completely false.
But the controversy did not end there. Last week, LayerZero Labs co-founder and CEO Bryan Pellegrino engaged in heated debates with several security researchers in the ETHSecurity Community Telegram group.
The core issue was that LayerZero Labs could immediately upgrade the non-time-locked default library contracts, theoretically allowing the forging of cross-chain messages, which exposed over $3 billion in LZ OFT assets to potential risk over time. Security researcher Banteg pointed out that some mainstream projects, including Ethena and EtherFi, still used this default library weeks ago, with about $178 million in assets still at risk.
Meanwhile, on-chain data showed that LayerZero multi-signature addresses had conducted meme coin transactions, DEX swaps, and cross-chain bridge operations unrelated to multi-signature responsibilities, further raising community concerns about key security. Bryan admitted that these operations were performed by team members with multi-signature keys but denied they were “meme coin speculative trades,” claiming their purpose was only to “test PEPE OFT functionality,” and that the members involved had been removed.
To reduce risk, Bryan also publicly recommended that projects adopt “fixed configurations” instead of default setups as soon as possible. Subsequently, Banteg published a list of LayerZero projects still using default library contracts, urging protocols to migrate quickly.
This statement quickly sparked industry discussion and skepticism. Chainlink strategy lead Zach Rynes criticized LayerZero Labs, saying that multi-signature keys have long suffered from severe OPSEC (Operational Security) failures, directly exposing billions of dollars in OFT assets to security risks. He further stated that if LayerZero and the industry had truly paid attention to security researchers’ warnings over the past few years, such attacks could have been avoided.
Faced with market criticism and ongoing ecosystem bleeding, LayerZero’s attitude shifted noticeably. On May 9, the official LayerZero published a public apology addressing the past three weeks’ security incidents and communication issues.
LayerZero Labs stated that its internal RPCs had been attacked by the Lazarus Group over the past three weeks, damaging the source of its DVN (Decentralized Validation Network), and that external RPC providers had suffered DDoS attacks. The incident affected only 0.14% of applications and about 0.36% of asset value. The LayerZero protocol itself was unaffected, and over $9 billion in assets continued to transfer cross-chain normally after the event.
However, LayerZero Labs also admitted for the first time that allowing the DVN to operate with a “1/1” single-node configuration for high-value transactions posed a single point of failure risk, for which they bear management responsibility. The official also disclosed that over three and a half years ago, a multi-signature signer mistakenly used a multi-signature hardware wallet for personal transactions; this signer has now been removed, and the related wallet has been rotated.
For subsequent reforms, LayerZero Labs announced a series of security upgrades, including stopping support for 1/1 DVN configurations, migrating all default paths to 5/5 multi-signature setups with a minimum of 3/3 signatures; developing a second Rust-based DVN client to enhance client diversity; and launching a dedicated multi-signature tool, OneSig, to improve security.
Additionally, LayerZero contributed over 10k ETH to the DeFi United rescue effort, with 5,000 ETH allocated to a fund and the remaining 5,000 ETH reserved for Aave.
Despite ongoing controversies, LayerZero has not completely lost the market. Major assets like Ethena’s USDe, EtherFi’s weETH, and BitGo’s WBTC continue to use LayerZero’s OFT standard.
Every major security crisis is a redistribution of liquidity and influence. As the crypto industry gradually moves toward mainstream finance, the standards for evaluating underlying infrastructure will become more stringent, and security capabilities are increasingly becoming a core competitive advantage.