Login
Sign Up
The cross-chain security landscape underwent a seismic shift following a Q-type attack on KelpDAO in early April, which exposed critical vulnerabilities in LayerZero's infrastructure. On April 19, attackers exploited functions within the LayerZero Endpoint V2 contract, manipulating the decentralized validator network to release approximately 116,500 rsETH valued at $292 million. Although the protocol's emergency suspension mechanism halted further losses estimated at $100 million, the incident revealed a fatal flaw in the 1-of-1 single-verifier configuration. LayerZero initially attributed the breach to sophisticated state actors, potentially linked to the North Korean Lazarus Group's TraderTraitor, noting that the attack involved contaminating RPC nodes and executing DDoS attacks to force system failover to compromised endpoints. This allowed forged messages to bypass security checks, a vulnerability exacerbated by KelpDAO's reliance on a single-point failure setup that LayerZero later admitted was a serious mistake for high-value transactions.
The immediate aftermath triggered a rapid cascade of institutional migrations away from LayerZero toward Chainlink's Cross-Chain Interoperability Protocol (CCIP). KelpDAO became the first major protocol to announce a full switch to CCIP on May 6, abandoning LayerZero for its rsETH infrastructure. This decision was swiftly followed by Solv Protocol, which migrated over $700 million in SolvBTC and xSolvBTC assets across all supported chains two days later.
Concurrently, the decentralized reinsurance protocol Re designated CCIP as its sole cross-chain solution for reUSD deposit tokens, while non-custodial lending protocol Tydro also initiated the transition. Data compiled by Woofun AI indicates that these early movers represent a significant portion of the capital flight, setting a precedent for broader industry realignment.
The migration wave intensified as major financial institutions and centralized exchanges joined the exodus. On May 14, Kraken announced it would replace LayerZero with CCIP as its exclusive service for encapsulating crypto assets, including kBTC, across chains like Ink, Ethereum, and Optimism. Two days later, Lombard declared the abandonment of LayerZero to migrate over $1 billion in bitcoin-backed assets to CCIP, adopting a destruction and issuance token standard. When aggregating the total locked value of these five protocols, the scale exceeds $3.4 billion, and including institutional-encapsulated assets, the total migration reaches approximately $4 billion. This trend follows earlier strategic moves by Coinbase, which selected CCIP in December 2025 for $7 billion in encapsulated assets, and Circle, which integrated CCIP in January 2024 for multi-chain USDC transfers.
Market sentiment reflected this structural shift in trust through divergent token performance. Over the past 30 days, LINK rose 2.73% to trade at $9.6, securing a market capitalization of $6.98 billion and maintaining the 16th rank in the crypto market. In stark contrast, ZRO plummeted 22.63% to $1.34, with its market value contracting to $434 million and its ranking slipping to 92nd. Compounding the pressure on LayerZero, over 25.71 million ZRO tokens worth approximately $34.45 million were unlocked on May 20, representing 5.07% of the total supply. Woofun AI notes that on-chain metrics further underscore this capital flight, with LayerZero's network recording a net outflow of approximately $2.01 billion in the last month.
The divergence in adoption rates stems from fundamental differences in security architecture between the two protocols. Chainlink's CCIP, fully available since April 2024, leverages a decentralized oracle network where multiple independent node operators form an off-chain consensus layer to observe and verify cross-chain events. This model is reinforced by an independent risk management network and includes built-in rate limits and time locks for token transfers, creating a multi-layered defense. In contrast, LayerZero's highly modular five-layer architecture separates interfaces, verification, and execution, offering developers flexibility to customize validator networks and thresholds.
However, this design places the burden of security configuration on application developers, a responsibility that many failed to meet under the default 1-of-1 settings.
The KelpDAO incident highlighted that 47% of protocols utilizing LayerZero relied on the vulnerable single-verifier configuration, prompting a sector-wide pivot to CCIP's default decentralized verification. On May 9, LayerZero issued an apology, acknowledging mishandled communication over the preceding three weeks and admitting that allowing its official validation network to use the flawed configuration for high-value transactions was a critical error. The protocol clarified that the core issue lay in contaminated internal RPC data sources and external DDoS attacks rather than a breach of the protocol itself. As LayerZero prepares to release a joint post-attack analysis report with external security partners, the industry appears to have decisively favored the more robust, pre-configured security model offered by CCIP.