News
11 May 2026, 13:48
Ink Finance and Renegade report exploits as hackers continue to raid DeFi

Two DeFi protocols, Ink Finance and Renegade, have lost a combined $349,000 in separate exploits that occurred in less than two days. Renegade, which raised around $3.4 million in a 2023 seed round led by Dragongly Capital, currently holds over $129,500 in total value locked across its Base and Arbitrum deployments, according to DefiLlama . The protocol held over $338,000 before the hack. Renegade’s TVL dropped sharply after the May exploit. Source: DeFiLlama. Ink Finance has not acknowledged or released any public statements on the exploit. The latest exploits are being seen as an extension of the streak of attacks that made April 2026 the worst month on record for smart contract losses. Ink Finance and Renegade suffer exploits Ink Finance’s exploit was flagged by blockchain security firm Blockaid on May 11. According to Blockaid, the attacker drained approximately $140,000 from the protocol’s Workspace Treasury Proxy contract on Polygon. The bad actors deployed a contract at an address matching a whitelisted claimer entry in Ink Finance’s Workspace controller, then called the claim function to pass the eligibility check and trigger an authorized transfer from the treasury proxy. Renegade, the dark pool DEX, suffered its own exploit the previous day, May 10. Confirming a post by Blockaid, the protocol stated that a legacy V1 deployment on Arbitrum was exploited for approximately $209,000. It informed the public that the white hat has already returned around $190k and added that all affected users will be made whole. Renegade confirmed that the vulnerability was isolated to the V1 Arbitrum deployment and did not affect its other contracts. Syndicate bridge losses add to the toll The two exploits follow a string of incidents that began in late April. On April 30, Syndicate Labs announced it had suffered a security incident. This was a private key compromise that enabled malicious upgrades to bridge contracts on two chains, and resulted in the loss of around 18.5 million SYND tokens and $50,000 in other tokens. On May 10, Syndicate stated that it had reimbursed all affected SYND holders on Commons Chain in full, plus an additional 15% of the total amount lost. The reimbursements were sent directly to affected wallets on Base, with gas fees covered by Syndicate Labs. AI-assisted attacks raise the stakes DeFi exploits are on the rise at a pace never seen before. There is growing evidence that AI tools are being leveraged to lower the barrier for attackers. An a16z Crypto research discovered that an off-the-shelf AI coding agent, given only a contract address and basic developer tools, could independently identify and exploit smart contract vulnerabilities 10% of the time. The success rate went up seven times to 70% when the agent was provided with structured knowledge about common attack patterns. GoPlus Security reportedly flagged four separate smart contract exploits on Ethereum mainnet within a 48-hour window ending April 29, with combined losses exceeding $1.5 million, per the same report. The firm sees the current pace of AI-assisted attacks as a “countdown-by-the-second era.” There’s a middle ground between leaving money in the bank and rolling the dice in crypto. Start with this free video on decentralized finance .
11 May 2026, 12:11
Ronin set to transition to Ethereum layer 2 from independent sidechain

The purpose behind the migration is to enhance security, tokenomics and scalability, said Ronin, which suffered the largest DeFi bridge exploit on record in 2022.
11 May 2026, 08:35
Over $3B in DeFi Assets Migrate to Chainlink’s CCIP After KelpDAO Hack, Analysts Say

BitcoinWorld Over $3B in DeFi Assets Migrate to Chainlink’s CCIP After KelpDAO Hack, Analysts Say In the wake of a significant security breach targeting KelpDAO’s rsETH token, the decentralized finance (DeFi) sector has witnessed a massive capital migration. According to an analysis by CryptoSlate, over $3 billion in assets have moved to Chainlink’s Cross-Chain Interoperability Protocol (CCIP), positioning the oracle network as a clear beneficiary of the incident. Post-Hack Shift in Bridge Infrastructure The hack, which exploited vulnerabilities in LayerZero’s cross-chain bridge infrastructure, prompted a rapid reassessment of security standards across the DeFi ecosystem. CryptoSlate’s report indicates that the affected protocols and their users swiftly adopted Chainlink’s CCIP as their new standard for secure cross-chain communication. This migration was accompanied by a noticeable increase in the price of Chainlink’s native token, LINK, reflecting renewed market confidence in the protocol’s security architecture. LayerZero Admits Security Oversight In contrast to Chainlink’s gain, LayerZero (ZRO) has faced significant reputational damage. The team behind the exploited bridge publicly acknowledged and apologized for what they described as “lax security oversight.” The admission has intensified scrutiny on LayerZero’s operational practices, with industry participants now questioning whether the protocol can restore the trust lost in the aftermath of the KelpDAO incident. Broader Implications for DeFi Security The event underscores a critical vulnerability in the DeFi sector: the reliance on cross-chain bridges, which have historically been prime targets for attackers. The migration to CCIP suggests that the market is prioritizing protocols with proven security track records and robust interoperability solutions. For Chainlink, this represents a strategic win, reinforcing its role as a foundational infrastructure provider in the blockchain space. Conclusion The KelpDAO hack has catalyzed a major shift in DeFi bridge infrastructure, with Chainlink’s CCIP emerging as the preferred alternative to LayerZero. While Chainlink’s market position strengthens, LayerZero faces an uphill battle to rebuild credibility. The incident serves as a stark reminder of the importance of rigorous security audits and transparent governance in the rapidly evolving DeFi landscape. FAQs Q1: What caused the migration of over $3 billion in DeFi assets to Chainlink’s CCIP? The migration was triggered by a security breach at KelpDAO, where a hacker exploited vulnerabilities in LayerZero’s cross-chain bridge. In response, protocols and users sought a more secure alternative, leading to widespread adoption of Chainlink’s CCIP. Q2: How did the KelpDAO hack affect LayerZero’s reputation? LayerZero publicly admitted to lax security oversight following the hack, which damaged its credibility. The industry is now questioning whether LayerZero can recover the trust lost, especially as competitors like Chainlink gain traction. Q3: What does this event mean for the future of cross-chain bridge security? The incident highlights the critical need for robust security measures in cross-chain infrastructure. It may accelerate the adoption of more secure protocols like Chainlink’s CCIP and prompt stricter industry-wide standards for bridge security audits and transparency. This post Over $3B in DeFi Assets Migrate to Chainlink’s CCIP After KelpDAO Hack, Analysts Say first appeared on BitcoinWorld .
11 May 2026, 07:20
TrustedVolumes Hacker Moves $278K in Stolen Funds Through Mixers and Cross-Chain Swaps

BitcoinWorld TrustedVolumes Hacker Moves $278K in Stolen Funds Through Mixers and Cross-Chain Swaps Blockchain security firm PeckShield has reported that the hacker responsible for the recent TrustedVolumes exploit has successfully laundered approximately $278,000 worth of stolen cryptocurrency. The funds, part of a larger $6.7 million theft, have been moved through multiple privacy-focused protocols and cross-chain bridges. How the Funds Were Moved According to PeckShield’s on-chain analysis, the hacker executed two primary transactions. First, 10.2 ETH, valued at around $23,600, was deposited into Tornado Cash, a well-known cryptocurrency mixing service frequently used to obfuscate the trail of stolen assets. Second, a larger sum of 110 ETH, approximately $250,000, was swapped for Bitcoin through THORChain, a decentralized cross-chain liquidity protocol. This method allows the hacker to convert Ethereum into Bitcoin without relying on centralized exchanges, making it significantly harder for law enforcement to freeze or trace the funds. Background on the TrustedVolumes Exploit TrustedVolumes, a decentralized finance (DeFi) protocol, suffered a major security breach earlier this year, resulting in the loss of $6.7 million. The exploit targeted vulnerabilities in the platform’s smart contract code, allowing the attacker to drain funds from liquidity pools. The incident was part of a broader trend of DeFi hacks that have collectively cost the industry hundreds of millions of dollars in 2024 and 2025. Why This Matters for the Crypto Ecosystem The continued use of mixing services like Tornado Cash and cross-chain bridges like THORChain highlights a persistent challenge for regulators and blockchain forensic teams. While Tornado Cash has been sanctioned by the U.S. Treasury Department, its decentralized nature means it remains operational and accessible. Similarly, THORChain’s non-custodial, cross-chain architecture allows users to swap assets without KYC checks, making it an attractive tool for bad actors seeking to launder funds. This case underscores the ongoing cat-and-mouse game between security researchers and hackers, as well as the need for more robust on-chain surveillance and regulatory frameworks. Conclusion The laundering of $278,000 from the TrustedVolumes hack is a clear example of how sophisticated attackers use decentralized tools to evade detection. While the total sum moved so far represents only a fraction of the overall theft, it signals the hacker’s intent to gradually liquidate the stolen assets. The crypto community and law enforcement agencies will be watching closely for further movements, as any slip in operational security could lead to the identification of the perpetrator. FAQs Q1: What is Tornado Cash and why do hackers use it? Tornado Cash is a decentralized privacy protocol that mixes cryptocurrencies from multiple users, making it difficult to trace the origin of funds. Hackers use it to break the on-chain link between stolen assets and their wallets. Q2: How does THORChain help in laundering crypto? THORChain is a decentralized cross-chain liquidity protocol that allows users to swap assets between different blockchains (e.g., Ethereum to Bitcoin) without KYC or centralized oversight. This makes it harder for authorities to freeze funds. Q3: What is the current status of the TrustedVolumes hack investigation? The investigation is ongoing. PeckShield and other blockchain security firms are monitoring the movement of funds. No arrests have been made, and the identity of the hacker remains unknown. This post TrustedVolumes Hacker Moves $278K in Stolen Funds Through Mixers and Cross-Chain Swaps first appeared on BitcoinWorld .
11 May 2026, 05:20
LayerZero, Lazarus and KelpDAO: The Full Story Behind the Bridge Exploit

Almost 3 weeks ago, the KelpDAO bridge exploit began as a technical failure and quickly became a wider test of cross-chain security, protocol defaults, and accountability across decentralised finance. On April 18, attackers suspected of links to North Korea’s Lazarus Group exploited a LayerZero-powered Omnichain Fungible Token bridge connected to KelpDAO’s rsETH. The attack drained about 116,500 rsETH, with losses reported near $292 million. The core issue centred on a single-verifier setup. KelpDAO’s bridge used a 1-of-1 Decentralized Verifier Network configuration, meaning one verifier could validate high-value cross-chain activity. Critics said that the structure created a single point of failure. LayerZero later said its protocol itself was not compromised. In a public update, the team said internal RPCs used by the LayerZero Labs DVN were attacked by the Lazarus Group and had their “source of truth” poisoned, while external RPC providers were hit by DDoS attacks at the same time. LayerZero Admits Communication and Configuration Failures LayerZero opened its update with an apology, saying it had done a poor job communicating during the three weeks after the exploit. The team said it had waited for a full post-mortem but should have spoken more directly earlier. The company said the incident affected one application, equal to 0.14% of total applications, and about 0.36% of asset value on LayerZero. It also said more than $9 billion had moved across LayerZero after April 19 without other applications being affected. Still, LayerZero acknowledged a key mistake: allowing its DVN to operate as a 1-of-1 verifier for high-value transactions. The team said developers should choose their own security settings, but said LayerZero Labs failed to monitor what its DVN was securing closely enough. LayerZero said it will no longer service 1-of-1 DVN configurations. It is also moving defaults toward 5-of-5 verification where possible, and no lower than 3-of-3 on chains where only three DVNs are available. KelpDAO Moves to Chainlink After Exploit KelpDAO has now moved away from LayerZero and selected Chainlink’s Cross-Chain Interoperability Protocol. The shift makes KelpDAO one of the first major protocols to leave LayerZero after the exploit. Subsequently, the migration has now expanded beyond KelpDAO. Analyst Tom Wan noted that protocols with about $2 billion in combined TVL are moving from LayerZero to Chainlink CCIP. That includes KelpDAO with roughly $1.5 billion, SolvProtocol with about $600 million, and re with about $200 million. Chainlink CCIP uses decentralized oracle networks that require at least 16 independent node operators to validate cross-chain transactions. KelpDAO said the move directly addresses the architectural weakness involved in the attack. KelpDAO’s rsETH will also adopt Chainlink’s Cross-Chain Token standard. Chainlink said its infrastructure has supported more than $30 trillion in cross-chain transaction value. The migration follows a debate over responsibility. LayerZero said it had warned against single-verifier setups. KelpDAO and other observers argued that the 1-of-1 setup had been part of LayerZero’s default onboarding path. One analysis cited by KelpDAO said 47% of about 2,665 LayerZero applications were using the same single-verifier configuration at the time of the attack. DeFi United, Frozen ETH, and LayerZero’s Security Changes After the exploit, Aave, KelpDAO, LayerZero, and other participants formed DeFi United to help restore rsETH backing. LayerZero contributed about 10,000 ETH, including a 5,000 ETH donation and a 5,000 ETH loan to Aave. The recovery effort has raised more than $300 million in crypto. The recovery became more complicated after the Arbitrum Security Council froze 30,766 ETH linked to the exploit. Plaintiffs with terrorism-related claims against North Korea later moved to seize those funds, arguing they may be tied to the Lazarus Group. Aave has filed an emergency motion seeking to release the funds for affected users. LayerZero also addressed a separate internal issue involving a multisig signer. The company said that three and a half years ago, one signer used a multisig hardware wallet for a personal trade by mistake. LayerZero said the signer was removed, wallets were rotated, and signing practices were changed. The company said it has built OneSig, a custom multisig system designed to improve signing security across supported chains. It also plans to raise its multisig threshold from 3-of-5 to 7-of-10, where OneSig is available. LayerZero is also building Console, a platform for issuers to configure, deploy, and manage asset issuance and security. Console is expected to include alerts for unknown DVNs, unsafe settings, ownership changes, block-confirmation changes, and use of defaults. The exploit has now moved beyond one bridge failure. It has become a story about developer defaults, verifier design, RPC security, DAO recovery efforts, and whether cross-chain systems can protect high-value assets without relying on hidden or weak assumptions.
11 May 2026, 03:00
LayerZero loses $2B in protocol TVL after exploit fallout – What next?

Protocols with $2 billion in combined Total Value Locked, including Kelp, Solvprotocol, and Re, left LayerZero following a recent security incident.











































