Decentralized finance (DeFi) provider Kelp DAO has announced a major infrastructure shift for its liquid restaked token rsETH, transitioning its cross-chain bridge from LayerZero’s OFT (Omnichain Fungible Token) protocol to Chainlink’s CCIP (Cross-Chain Interoperability Protocol). The move, revealed on May 5, follows a devastating cyberattack on April 18 in which hackers exploited LayerZero’s infrastructure, resulting in the theft of 116,500 rsETH from Kelp DAO—an incident that caused losses of approximately $292 million across the DeFi sector.
Security flaws with LayerZero exposed
The attack led to the rapid loss of nearly 18% of total rsETH supply in circulation. According to blockchain analytics firm Chainalysis, attackers gained control over internal network points managed by LayerZero Labs. By directing traffic to compromised nodes using DDoS methods, they were able to siphon off large token volumes out of the system. At the time, the bridge operated with a single validator, which meant that a single forged signature could authorize unjustified token withdrawals on connected networks.
In the aftermath, LayerZero stated that using a single validator model contradicted its operational standards. However, Kelp DAO released their correspondence with the LayerZero team, providing evidence that LayerZero had both accepted and approved this architecture. Telegram screenshots shared by Kelp DAO showed LayerZero officials permitting the use of default settings for the bridge.
After the latest breach, we began taking steps to fully secure rsETH, which is why we are migrating to Chainlink CCIP. During the April 18 incident, LayerZero’s compromised infrastructure contributed to $300 million in losses throughout DeFi.
Reports indicate that at the time of the hack, 47% of active smart contracts on LayerZero were operating with a single validator setup. Following the breach, LayerZero started requiring all applications to transition to enhanced security standards that include multi-validator architectures.
Why Chainlink CCIP became the new choice
In the wake of the incident, Kelp DAO chose Chainlink’s CCIP infrastructure to strengthen security and prevent similar risks. Chainlink co-founder Sergey Nazarov underscores that CCIP differentiates itself by implementing three separate oracle networks for each transaction lane, a distinct risk management network working alongside the core protocol, and by ensuring these networks are built in different programming languages by independent teams. This layered approach prevents vulnerabilities in one component from spreading throughout the system.
CCIP is designed to enable secure transfers across blockchains, utilizing multi-layered validation mechanisms to guard against attacks like the one faced by Kelp DAO. So far, Chainlink CCIP has not suffered any major security losses since its introduction, which played a large role in Kelp DAO’s decision.
Even if you manage to breach one codebase, you cannot extend the exploit to others. This ensures customer diversity and allows independent codebases to interact securely.
The switch from LayerZero to CCIP marks a shift toward a more flexible, security-first infrastructure for Kelp DAO. Analysts emphasize that the attack was only possible due to the reliance on a single validator, mono-codebase, and a single infrastructure operator.
Steps taken after the hack
In the weeks since the breach, LayerZero contributed 10,000 ETH to the DeFi United recovery fund. Meanwhile, the Arbitrum Security Council froze 30,766 ETH found in addresses tied to the attackers. However, the legal status of these funds remains ambiguous. In the United States, court cases are unfolding as some plaintiffs seek seizure of the assets, citing North Korea-related terrorism rulings.
While Kelp DAO sees the transition to CCIP as a structural solution, LayerZero is enforcing mandatory adoption of multi-validator configurations for nearly half its applications. The event, now regarded as 2026’s largest DeFi hack, has brought cross-chain bridge security into sharper focus throughout the crypto ecosystem.
