A wave of protocol-level security responses followed the $292 million KelpDAO rsETH exploit on April 19, with BitGo, Polygon, and Katana moving swiftly to isolate potential contagion.
The attack drained 116,500 rsETH from Kelp DAO’s LayerZero-powered cross-chain bridge through a forged message that bypassed its Decentralized Verifier Network (DVN) configuration.
Protocols Move to Contain Fallout
BitGo, alongside BiT Global Trust, took down the LayerZero OFT DVNs for Wrapped Bitcoin (WBTC) as a precaution. The firm confirmed that user funds remain secure and pledged to share updates as more information becomes available.
Polygon stated that its chain, Agglayer, and broader ecosystem remain unaffected by the incident. The network noted it has safely processed over $2 trillion to date.
Katana paused the OFT path on Vaultbridge, which relied on a 2/3 DVN setup. Bridging through Agglayer, which verifies with zero-knowledge proofs rather than proof-of-authority multisigs, remained fully available.
Meanwhile, Cyvers CTO and co-founder Meir Dolev revealed that KelpDAO was just three minutes away from losing an additional $100 million. A rapid-response blacklist blocked the attacker before a second attempt could succeed.
Industry Leaders Call for Structural Rate Limits
The exploit has reignited calls for built-in rate limits across DeFi protocols. Ethena contributor Guy Young argued that asset issuers should implement throttled cross-chain transfers on top of standard LayerZero OFTs.
“We built a solution on top of the standard OFT to throttle cross chain transfers at $10m per hour for every DVN, in addition to the $10m per block rate limit on the mint contract. The former would have prevented Kelp, the latter Resolv,” he wrote.
Ethena’s configuration caps potential damage at $10 million per chain per hour even if a DVN is fully compromised. Young called the slight inconvenience for users a worthwhile tradeoff to avoid catastrophic losses.
Keone Hon, CEO and co-founder of Monad, proposed that pooled lending protocols adopt “smart caps” that limit how quickly collateral supply can grow.
He pointed to the Resolv hack in March, where the attacker minted infinite tokens but could only extract $24 million because exit pathways were small.
Hon argued that high supply caps should be seen as a liability, not a sign of stature. A supply limit slightly above current utilization, adjusting over hours to the true cap, would have saved rsETH depositors $200 million, he estimated.
The KelpDAO breach is now the largest DeFi exploit of 2026. Whether protocols adopt the rate-limiting measures these leaders are proposing may determine how large the next one gets.
The post BitGo, Polygon Among Industry Giants Pushing Rate Limits After The Largest DeFi Exploit of 2026 appeared first on BeInCrypto.
Source: https://beincrypto.com/kelpdao-rseth-exploit-bitgo-polygon-rate-limits/