Chainlink Wins Cross-Chain Security Shift

April's exploit tally crossed $600mn. Security is no longer a secondary consideration in protocol selection, but a primary one. And the infrastructure layer is repricing accordingly.

Layer zero vulnerability exposed

The inflection point was the rsETH exploit. The attack did not exploit a smart contract vulnerability but a configuration decision at the Layer Zero cross-chain messaging layer.

KelpDAO's LayerZero deployment ran a 1-of-1 DVN security stack, requiring only a single verifier to attest cross-chain messages before funds were released at the destination. One compromised attestation was enough. LayerZero's DVN architecture – Decentralized Verifier Networks that observe source-chain events and submit cryptographic attestations to destination contracts – is theoretically sound. The failure was in how it was configured. A 2-of-2 stack would have required simultaneous compromise of two independent off-chain infrastructures. But at the time of the exploit, roughly half of all active Layer Zero deployments were still running a 1-of-1 setup. With the remaining half overwhelmingly 2-of-2, both configurations represented approximately 92% of protocol value secured on the network.

(Source: Layer Zero's Dune Dashboard)

At the time of the exploit on 18 Apr, the network was processing approximately 19,200 weekly messages and $499mn in weekly volume – running at full tempo, with no onchain visibility into which lanes were sitting behind a single verifier.

The contrast with the present is stark. Weekly messages on Layer Zero have since fallen to 14,934 as of 20 May – down 22% from the day of the exploit – while weekly volume has dropped to $329mn, a 34% contraction over the same period. The past week alone saw $280mn in net outflows across five of seven days in negative territory, including a single-day print of -$166mn on 14 May – capital leaving Layer Zero bridged deployments.

Major protocols migrate to chainlink

KelpDAO's decision to migrate $1.5bn rsETH from Layer Zero to Chainlink CCIP on 5 May opened the floodgates. rsETH is KelpDAO's liquid restaking token that allows users to earn yields on staked assets while maintaining liquidity.

(Source: Chainlink)

Five major protocols followed and have since deprecated their legacy cross-chain infrastructure, collectively moving $4.4bn in assets under Chainlink’s Cross-Chain Interoperability Protocol (CCIP): Lombard with $1bn+ LBTC (its Bitcoin-backed token) and BTC.b, Solv Protocol with $700mn SolvBTC and xSolvBTC (Bitcoin yield products), Re Protocol with $475mn reUSD (a stablecoin), Kraken (a major centralized cryptocurrency exchange) with $330mn kBTC and all future wrapped assets, and Tydro with a $400mn full oracle stack migration. All adopted CCIP as exclusive cross-chain infrastructure.

The market moved immediately. LINK rallied as much as 16.1% in the week following KelpDAO's announcement before broader macro conditions pulled it back. LINK was trading at $9.58 at 12:40UTC on 24 May, up 4.2% in the last 24 hours, according to CoinMarketCap.

Chainlink builds lasting moat

The structural case for Chainlink is not new – the protocol has held oracle dominance for years. What the rsETH exploit clarified is the cost of fragmented security models. Chainlink has since evolved well beyond price feeds into a full infrastructure layer for onchain finance: Data Streams, Proof of Reserve, Confidential Compute and cross-chain orchestration through CRE now sit alongside its core data services.

The commercial logic is a standardized rail, with one coherent stack replacing the patchwork of bridges, oracles, and middleware tools that most protocols still stitch together. No direct competitor covers the full surface, with most rivals operating on a single layer, typically messaging or bridging alone.

CCIP is the centrepiece. It enforces a minimum of 16 independent node operators across every bridging lane, with no mechanism for application owners to degrade the security stack to a single verifier. The configuration risk that enabled the KelpDAO exploit structurally cannot exist within CCIP. Native support for issuer-managed rate limits adds a secondary defence – outflow caps that function as circuit breakers even if a message is successfully forged.

Layer Zero's default 2-of-2 DVN configuration is comparable in principle, but the absence of hard floors on verifier requirements means the protocol's aggregate security profile is only as strong as its weakest deployment. Chainlink eliminates that variance by design.

Default rail economics

CCIP's total transaction value has grown from $11.99bn at the end of 2025 to $19.93bn as of 19 May, a 66% increase in under five months. The bulk of that accretion concentrated in the six weeks following the exploit, as Aave's (a leading decentralized lending protocol) TVL bleed pushed capital through CCIP transfer infrastructure on its way out, inflating throughput metrics without reflecting organic adoption.

(Source: Chainlink)

Total Value Secured (TVS) tells the same story in reverse, as TVS fell from $64.6bn at the end of March to $47.3bn currently, a direct read-through from Aave's contraction given Chainlink remains the oracle layer securing its collateral flows.

The migration's true volume impact is still ahead. As the $4.4bn in newly onboarded assets begins cycling across CCIP lanes, the fee accrual mechanism kicks in – and more fees mean more LINK buybacks. Since the programme launched in August 2025, the protocol has repurchased approximately $37.1mn in LINK, running at a weekly pace of roughly $1.1mn over the past four weeks. That run rate was set before KelpDAO, Lombard or Re Protocol came through the door.

The more durable signal is structural. When Kraken – a centralized exchange with its own custody stack – deprecates its proprietary bridging solution and mandates CCIP for all future wrapped assets, it is not a product decision. It is a statement about where institutional-grade cross-chain infrastructure now begins and ends.