- In 48 hours, a single forged message on a third-party bridge drained $292M from KelpDAO, froze 20+ chains, and stress-tested every bridge in DeFi
- Agglayer kept operating, processing ~$200M in bridge volume for chains like Katana
- Agglayer uses ZK proofs and onchain pessimistic proofs, powered by SP1, instead of operator committees, securing its ecosystem against the exact attack vector behind the rsETH exploit
- Every chain launched on CDK ships with Agglayer connectivity baked in: unified liquidity and ZK security come out-of-the-box
Crosschain infrastructure gets stress-tested in two conditions: normal market hours, and the moments for which nobody plans. The rsETH exploit was the second kind.
Saturday night, a forged signature on KelpDAO's LayerZero bridge drained $292 million in rsETH. The attacker used it as collateral to borrow ETH on Aave, leaving up to $230 million in bad debt. Within 24 hours, users pulled $6.6 billion from Aave. Lido, SparkLend, Fluid, Upshift, and Ethena paused markets or bridges. rsETH on twenty-plus chains became collateral of uncertain backing overnight.
Polygon Chain kept running. Agglayer, the cross-chain settlement layer, kept running. And CDK chains kept running. Together they processed ~$200M in bridge volume post-hack while much of DeFi and bridging infrastructure paused.
Our security, product, and support teams were working directly with institutional and ecosystem partners around the clock from the moment the situation developed.
Katana, built on Polygon CDK with native Agglayer connectivity, was one ecosystem team that had zero exposure throughout the weekend. Users could access their funds. Liquidity was there when they needed it. None of that happened by accident. It happened because of their foundational architectural choice with Polygon CDK and Agglayer: relying on zero-knowledge (ZK) technology.
This is why choosing math over multisigs was the one thing that kept Agglayer running when it mattered most.
Why ZK-based bridging holds where others haven't
Most cross-chain bridges work on trust. A committee of off-chain operators watches one chain and attests to what happened on another. That committee might be called a DVN, a relayer set, an oracle network, or a multisig. The label varies, but the assumption doesn't. The bridge trusts the committee. Users trust the bridge. Everyone hopes the committee stays honest and uncorrupted under pressure.
Agglayer doesn't work that way.
Instead of a committee, Agglayer uses ZK proofs, cryptographic receipts that prove a computation was performed correctly. Any machine can verify one in milliseconds. The proof is either valid or it isn't. There are no operators to manipulate, no RPC feeds to poison, no quorum to compromise at 3am on a weekend. The security doesn't depend on anyone's good behavior. It depends on math.
Layered on top is what we call pessimistic proofs: on-chain accounting that tracks every asset entering and leaving every chain connected to Agglayer. Before any withdrawal finalizes, the ledger has to balance. A chain cannot withdraw more of an asset than it has on record, for any reason, including a forged upstream message. If the accounting doesn't add up, the proof fails and nothing moves.
Agglayer pessimistic proofs run on Succinct's SP1 proving system to enforce the security model at production scale. Built with Polygon Plonky3, SP1 generates proofs fast enough for live bridge traffic. Every connected chain produces a proof of its outbound messages before settlement. A malicious or compromised chain is isolated by default. It cannot trigger actions or drain funds on other chains. That's what makes the KelpDAO category of attack structurally impossible on Agglayer. Chains built on Polygon CDK OP Stack like Katana inherit this directly: Succinct’s SP1 proofs give them fast finality, strong security, and seamless Agglayer interop from day one.
If you run the rsETH exploit through this layer: the attacker submits a withdrawal for 116,500 rsETH. The pessimistic proof checks the ledger. No corresponding deposit exists. The withdrawal is rejected before anything leaves the system.
This is the design that blocks the entire infinite-mint category of bridge attack. Agglayer has been running this architecture in production since July 2024, and it held this weekend.
What Agglayer looks like in production
When the exploit surfaced over the weekend, Polygon's security team monitored the situation immediately. Product, security, and support teams worked directly with institutional and ecosystem partners around the clock, helping teams understand their exposure, access liquidity, and protect users.
Bridging to and from Katana remained fully available through Agglayer throughout the incident, because Agglayer was never at risk. There was nothing to pause or patch.
The concern was limited to third-party bridge routes. We identified every potentially affected path on Katana and assisted to pause their LayerZero route on Vault Bridge as a precaution. For users moving funds through Agglayer, there was no impact.
Polygon’s quick response is especially possible because of how CDK and Agglayer are built: one team, one stack, full visibility. There's no handoff between a bridge vendor, a chain provider, and a security firm. When partners need support, they have one call to make.
That's why Agglayer is built the way it was. ZK proofs rather than off-chain attestations, built into Katana's deployment from day one. And it's open source, with no protocol fees or licensing. Any team ready to move off trusted attestation can plug in.
What CDK + Agglayer means for institutions deploying chains
Katana isn't a special case. It's what every chain built on CDK gets.
When an institution launches on CDK, Agglayer connectivity ships with initial deployment. There's no separate bridge integration project. No additional vendor negotiation. The ZK security layer and access to Agglayer's unified liquidity network arrive with the chain out-of-the box.
This matters beyond security. The question institutions face when building their own chain is usually a hard tradeoff: privacy or liquidity. Private chains give institutions control over who sees their transactions, but wall them off from the broader crypto economy and the liquidity that comes with it. Public L2s offer deep liquidity but expose counterparties, positions, and transaction data to the world.
CDK chains resolve that tradeoff. They connect to the full crypto economy through Agglayer: global liquidity, cross-chain interoperability, access to DeFi, without broadcasting internal transaction data to competitors.
For teams building on CDK, Polygon is present at every stage, from chain design, to deployment, through any crisis that follows.
This is where bridge security goes next
The rsETH exploit should serve as a warning. The cadence of bridge attacks is increasing because the tools to find vulnerabilities in committee-based systems are improving faster than the committees' ability to defend themselves. AI-assisted auditing finds misconfigurations that once stayed buried in complexity. The attack surface for operator-based bridges isn't shrinking.
ZK proofs don't have that problem. The security relies on math, not human operations. It doesn't require a team, and doesn't create a surface for social engineering or infrastructure compromise.
For institutions building payment infrastructure, launching blockchains, or moving significant capital crosschain, the choice of security architecture is a foundational decision.
Agglayer was built for that moment. This weekend, it delivered.
If this weekend changed how you think about bridge security, reach out to our team. Agglayer can plug in to any Optimistic or ZK rollup, across any VM.
.png)
.png)
.png)
