In the aftermath of a severe security breach on KelpDAO’s rsETH bridge, the decentralized finance landscape is witnessing a significant exodus of capital from LayerZero’s cross-chain infrastructure to Chainlink’s Cross-Chain Interoperability Protocol (CCIP). Crypto analyst Tom Wan reported that protocols representing approximately $2 billion in total value locked (TVL) are migrating, including KelpDAO ($1.5 billion), Solv Protocol ($600 million), and re ($200 million).
The shift follows the April 18 exploit, in which attackers tied to North Korea’s Lazarus Group drained around 116,500 rsETH, worth nearly $292 million. The attack exploited a critical architectural weakness: the bridge relied on a single Decentralized Verifier Network (DVN) configuration, effectively a single point of failure. LayerZero later acknowledged that its internal RPC infrastructure was targeted and that it should have monitored what its own DVN was securing more closely.
LayerZero admitted communication missteps and announced it will no longer support 1-of-1 DVN configurations, moving default verification to a minimum of 3-of-3 and aiming for 5-of-5 where possible. Despite these changes, KelpDAO and others have decided to switch. KelpDAO’s rsETH will now use Chainlink CCIP and the Chainlink Cross-Chain Token standard, leveraging decentralized oracle networks that require at least 16 independent node operators for transaction validation.
The migration marks one of the first major departures from LayerZero since the incident. While major assets like Ethereum’s USDe, EtherFi’s weETH, and WBTC continue to use LayerZero’s OFT standard, the broader DeFi community is reassessing security defaults. LayerZero revealed that at the time of the attack, about 47% of its roughly 2,665 applications were using the same single-verifier setup, raising questions about onboarding defaults.
In response to the exploit, a coalition called DeFi United was formed, with LayerZero contributing a combined 10,000 ETH (a donation and a loan to Aave) to restore rsETH backing. Meanwhile, the Arbitrum Security Council froze 30,766 ETH linked to the exploit, while plaintiffs with terrorism-related claims against North Korea moved to seize those funds, adding legal complexity.
LayerZero is also rolling out internal security upgrades, including its custom multisig system OneSig, a planned raise of the multisig threshold from 3-of-5 to 7-of-10, and a new Console platform for issuers to monitor and manage security configurations. The entire saga has evolved from a bridge failure into a broader examination of verifier design, developer defaults, and accountability across cross-chain systems.
