3 billion DeFi money migrations: Layer Zero fell and Chainlink was fed
Each major security crisis is a redistribution of mobility and voice。
Photo by Nancy, PANews
The relief efforts for the Kelp DAO attack have recently witnessed substantial progress with the next blood transfusion of the multiple head agreements, the quick completion of the funding gap and the facilitation of the restoration of the chain. However, market confidence remains more difficult to repair than rehabilitation at the financial level。
Layer Zero, who is at the centre of this vortex, is facing a number of agreements to accelerate its withdrawal and has been forced to turn his attitude in just a few weeks, from the initial sling pot to the public apology and overhaul. Chainlink, on the other hand, unexpectedly became a beneficiary of the crisis, with the CCIP agreement taking over a large amount of migratory liquidity and a marked increase in the chain data。
Three billion dollars a week. Chainlink is safe. Dividend
As the largest DeFi security incident to date in 2026, Kelp DAO attacks accelerated the movement of mobility along the chain。
With the ongoing security dispute over Layer Zero, a growing number of DeFi agreements have begun to reassess cross-chain risks and to proactively seek more reliable safe havens. During the past week, Chainlink has published numerous cases of relocation。
On 9 May, Chainlink officially disclosed that four agreements, including Kelp DAO, Solv Protocol, Re and Tydro, had recently been abandoned from the original bridge or prophecy programme and moved to Chainlink CCIP, bringing the total to over $3 billion. The government even devoted the last sentence to the "The Great Migration" which created a great deal of powder for this ecological transfer。
Behind this wave is a re-entry around security。
In addition to the DeFi agreement, which has been repositioned for security concerns, Chainlink has been gaining interest in traditional financial institutions and encryption projects in recent months。
In March of this year, Coinbase, through the newly launched Chatalink service, placed its exchange market data directly into the chain for the first time; the largest European institution, Amundi, joined hands with Spiko to launch the Chainlink-based Derivative Public Fund。
In April, OpenAssets entered into a strategic partnership with Chainlink to launch an asset-dinetization infrastructure programme for institutions; the major European stock exchange operator, SIX Group, joined forces with Chainlink to promote the uplinking of Swiss and Spanish stock market data; and the AWS Marketplace online Chainlink data service to connect traditional cloud and block chains。
In May, the United States Deposit and Settlement Corporation (DTCC) announced the introduction of Chainlink to build a block chain collateral management platform with the goal of achieving round-the-clock near real-time settlement; and Huma Finance, in collaboration with Chainlink, introduced corporate-level revenue products into multi-chain ecology。
As the ecology continues to expand, the energy of the Chainlink chain also increases significantly. According to Santiago monitoring, Chainlink exceeded 282,000 and 264,000 independent active addresses on 9 and 10 May, respectively, to record the highest since September 2025, noting that this was mainly affected by the large-scale relocation infrastructure of the recent DeFi agreement。
At the same time, Chainlink officially indicated that its cross-chain currency had a total value of over $61.8 billion, of which CCP transactions amounted to $19.5 billion。
Market confidence is also reflected in the change in hold of the LINK token. Monitoring by Santiago early this month revealed that, over the past month, between 100,000 and 10 million fishing whales and shark addresses in Chainlink had accumulated an increase of 3,293,000. In historical terms, this is usually a stronger view of the signal. In the past 30 days, the LINK has risen by about 19.7 per cent。
Layer Zero is in a crisis of trust, and the authorities are urgently sorry and corrected
At the moment, LayerZero is in a crisis of confidence。
According to DefiLlama data, the volume of Bridge transactions by Layer Zero has fallen to about $470 million this week, approaching historical lows. This attack is causing Layer Zero to experience a crisis of confidence。
In the early days of the hacking, Kelp DAO blamed the leaked attack on the security of Layer Zero. Later, Layer Zero quickly denied responsibility, claiming that many of the allegations made by Kelp DAO in the rsETH security incident were totally false。
But the controversy did not calm down. Last week, the Layer Zero Labs Consortium and CEO Bryan Pellegrino, in the ETHSecurity Community Telegram group, broke out with a number of security researchers。
The controversy focused on the fact that Layer Zero Labs could immediately upgrade the time-locked default bank contract and theoretically forge cross-chain news, exposing over $3 billion of LZ OFT assets to potential risk over time. According to Security Researcher Banteg, some of the mainstream projects, including Ethena and EtherFi, continued to use the default bank weeks ago and some $178 million of assets were still at risk。
At the same time, the chain data also show that Layer Zero ' s multiple signature addresses have been used to trade in meme currency, DEX Swap and cross-links unrelated to multiple signature duties, further raising community concerns about key security. In response, Bryan acknowledged that the operation had indeed been performed by members of the multi-signature team, but denied that it belonged to the “Meme currency speculation transaction”, stating that its purpose was merely to “test the PEPE OFT function” and stating that the members concerned had been removed。
In order to reduce the risk, Bryan also publicly recommended that the projecter replace the default configuration with “fixed configuration” as soon as possible. Subsequently, Banteg also published a list of Layer Zero projects that still use the default bank contract and called for the agreement to move as soon as possible。
This statement quickly triggered industry discussions and challenges. Chainlink's strategic manager, Zach Rynes, had sent a letter criticizing Layer Zero Labs for the long-standing serious OPSEC (operational security) error of his multiple signing key, which directly exposed billions of dollars of OFT asset security risks. He further stated that such attacks could have been avoided had Layer Zero and industry been able to give real importance to the ongoing warnings issued by the security researchers over the past few years。
There has been a marked change in LayerZero ' s attitude in the face of continued bloodshed in market opinion and ecology. On 9 May, the official Layer Zero officially issued a public apology in response to security incidents and communications over the past three weeks。
Layer Zero Labs states that its internal RPC was attacked by Lazarus Group over the past three weeks, causing damage to its real source of DVN (decentralized certification network), while external RPC suppliers were attacked by DDOS. The incident affected only 0.14 per cent of its application and approximately 0.36 per cent of its asset value, leaving no impact on the Layer Zero agreement itself, after which more than $9 billion remained in regular cross-chain movements。
However, LayerZero Labs also admitted for the first time that DVN had previously been allowed to provide security for high-value transactions with a "1/1" single node configuration, with a single-point failure risk, for which it was subject to regulatory failure. Officially, it was also revealed that three and a half years ago, a person who had signed a multiple-signer had mishandled the hardware wallet for personal transactions, that the signatory had been removed and that the wallet had been rotated。
In response to the subsequent overhaul, Layer Zero Labs announced a series of security upgrades, including the discontinuation of service for 1/1 DVD configurations and the ongoing migration of all path default configurations to more than 5/5, with a minimum of 3/3; the development of a second set of DVD clients based on Rust to achieve client diversity; the introduction of a dedicated multi-signature tool, OneSig, to enhance signature security; and the online unified management platform, Console, for asset distribution configuration and abnormal behaviour detection。
In addition, Layer Zero invested more than 10,000 ETH in this DeFi United, of which 5,000 will be used for the fund and the remaining 5,000 ETH will be reserved for Aave。
In spite of the escalating dispute, Layer Zero did not completely lose its market. Major assets, including Ethena’s USDe products, EtherFi’s WeETH assets and Bitgo’s WBTC, continue to use the LayerZero OFT standard。
Each major security crisis is a redistribution of mobility and voice. As the encryption industry moves towards the mainstream financial markets, the market will be increasingly critical of the underlying infrastructure, and security capacity is becoming a core competitiveness。
