diff --git a/pkg/rpc/server/server.go b/pkg/rpc/server/server.go
index dd0fef137..50de230ac 100644
--- a/pkg/rpc/server/server.go
+++ b/pkg/rpc/server/server.go
@@ -77,6 +77,9 @@ const (
 	// treated like subscriber, so technically it's a limit on websocket
 	// connections.
 	maxSubscribers = 64
+
+	// Maximum number of elements for get*transfers requests.
+	maxTransfersLimit = 1000
 )
 
 var rpcHandlers = map[string]func(*Server, request.Params) (interface{}, *response.Error){
@@ -548,6 +551,8 @@ func (s *Server) getNEP5Balances(ps request.Params) (interface{}, *response.Erro
 func getTimestampsAndLimit(ps request.Params, index int) (uint64, uint64, int, int, error) {
 	var start, end uint64
 	var limit, page int
+
+	limit = maxTransfersLimit
 	pStart, pEnd, pLimit, pPage := ps.Value(index), ps.Value(index+1), ps.Value(index+2), ps.Value(index+3)
 	if pPage != nil {
 		p, err := pPage.GetInt()
@@ -567,6 +572,9 @@ func getTimestampsAndLimit(ps request.Params, index int) (uint64, uint64, int, i
 		if l <= 0 {
 			return 0, 0, 0, 0, errors.New("can't use negative or zero limit")
 		}
+		if l > maxTransfersLimit {
+			return 0, 0, 0, 0, errors.New("too big limit requested")
+		}
 		limit = l
 	}
 	if pEnd != nil {
diff --git a/pkg/rpc/server/server_test.go b/pkg/rpc/server/server_test.go
index 818cfd824..cb1df850a 100644
--- a/pkg/rpc/server/server_test.go
+++ b/pkg/rpc/server/server_test.go
@@ -175,6 +175,11 @@ var rpcTestCases = map[string][]rpcTestCase{
 			params: `["` + testchain.PrivateKeyByID(0).Address() + `", "1", "2", "bleh"]`,
 			fail:   true,
 		},
+		{
+			name:   "invalid limit 3",
+			params: `["` + testchain.PrivateKeyByID(0).Address() + `", "1", "2", "100500"]`,
+			fail:   true,
+		},
 		{
 			name:   "invalid page",
 			params: `["` + testchain.PrivateKeyByID(0).Address() + `", "1", "2", "3", "-1"]`,