A wave of protocol-level safety responses adopted the $292 million KelpDAO rsETH exploit on April 19, with BitGo, Polygon, and Katana transferring swiftly to isolate potential contagion.
The assault drained 116,500 rsETH from Kelp DAO’s LayerZero-powered cross-chain bridge by way of a cast message that bypassed its Decentralized Verifier Community (DVN) configuration.
BitGo, alongside BiT International Belief, took down the LayerZero OFT DVNs for Wrapped Bitcoin (WBTC) as a precaution. The agency confirmed that person funds stay safe and pledged to share updates as extra data turns into obtainable.
Polygon said that its chain, Agglayer, and broader ecosystem stay unaffected by the incident. The community famous it has safely processed over $2 trillion thus far.
Katana paused the OFT path on Vaultbridge, which relied on a 2/3 DVN setup. Bridging by way of Agglayer, which verifies with zero-knowledge proofs slightly than proof-of-authority multisigs, remained absolutely obtainable.
In the meantime, Cyvers CTO and co-founder Meir Dolev revealed that KelpDAO was simply three minutes away from shedding an extra $100 million. A rapid-response blacklist blocked the attacker earlier than a second try may succeed.
The exploit has reignited requires built-in price limits throughout DeFi protocols. Ethena contributor Man Younger argued that asset issuers ought to implement throttled cross-chain transfers on high of normal LayerZero OFTs.
“We constructed an answer on high of the usual OFT to throttle cross chain transfers at $10m per hour for each DVN, along with the $10m per block price restrict on the mint contract. The former would have prevented Kelp, the latter Resolv,” he wrote.
Ethena’s configuration caps potential harm at $10 million per chain per hour even when a DVN is absolutely compromised. Younger referred to as the slight inconvenience for customers a worthwhile tradeoff to keep away from catastrophic losses.
Keone Hon, CEO and co-founder of Monad, proposed that pooled lending protocols undertake “good caps” that restrict how rapidly collateral provide can develop.
He pointed to the Resolv hack in March, the place the attacker minted infinite tokens however may solely extract $24 million as a result of exit pathways have been small.
Hon argued that prime provide caps must be seen as a legal responsibility, not an indication of stature. A provide restrict barely above present utilization, adjusting over hours to the true cap, would have saved rsETH depositors $200 million, he estimated.
The KelpDAO breach is now the most important DeFi exploit of 2026. Whether or not protocols undertake the rate-limiting measures these leaders are proposing could decide how massive the subsequent one will get.
Learn the Unique story BitGo, Polygon Among Industry Giants Pushing Rate Limits After The Largest DeFi Exploit of 2026 by Lockridge Okoth at beincrypto.com
Source link
