TLDR:

• Iran warns Gulf desalination plants will be targeted if the US strikes its national power grid.
  
• Kuwait, Qatar, and Bahrain rely on desalination for up to 99 percent of their daily drinking water.
  
• The Gulf region produces 40 percent of the world’s desalinated water across 56 vulnerable coastal plants.
  
• Strikes on Jubail, the world’s largest desalination complex, could cut water access across Saudi Arabia.

Gulf desalination infrastructure is at the center of a rapidly escalating standoff between the United States and Iran. President Trump issued a 48-hour ultimatum threatening to destroy Iran’s national power grid.

Iran’s Foreign Minister Araghchi and military officials responded with warnings to attack Gulf desalination plants. The mutual crisis now threatens tens of millions of civilians on both sides. Neither side can execute its threat without triggering a devastating response from the other.

Iran Warns of Strikes on Gulf Water Facilities

Iran’s Foreign Minister Araghchi and military officials issued warnings through the Tasnim news agency. They stated that any US strike on Iranian power plants would trigger immediate retaliation.

Gulf energy infrastructure and desalination facilities were named as the primary targets. The warning came after Trump’s ultimatum threatened Iranian civilian power generation.

In a widely shared post, journalist Shanaka Perera outlined the region’s deep dependence on desalinated water. He noted that Kuwait sources 90 percent of its drinking water from desalination.

Qatar relies on desalination for nearly 99 percent of its water supply. Bahrain draws 85 percent, and Saudi Arabia depends on desalination for 70 percent.

The Gulf region collectively produces 40 percent of the world’s desalinated water. Some 400 facilities operate across the region, with output concentrated in 56 large coastal plants.

These plants sit within 350 kilometres of Iranian launch positions. They are open-air industrial complexes with no military fortification.

A missile strike on the Jubail complex in Saudi Arabia could cut water to Riyadh. Jubail is the world’s largest desalination facility, supplying water to the capital.

Riyadh has no rivers or natural groundwater reserves to replace the supply. Without desalination, large-scale evacuation would become the only available option.

A Circular Threat With No Safe Exit

The 48-hour ultimatum was set to expire on March 23. If the United States strikes Iranian power plants, Iran has stated it will retaliate against Gulf desalination plants.

Gulf water supplies could collapse within days of such a strike. Millions of Gulf residents would face a water emergency with no quick solution.

Precedent for targeting water infrastructure already exists within this conflict. On March 7, strikes damaged a desalination plant on Iran’s Qeshm Island, cutting water to 30 villages.

An Iranian drone struck a Bahraini water facility the following day. Both sides have already hit water infrastructure during the current escalation.

Twenty-three nations signed the Hormuz statement calling on Iran to halt hostilities. Bahrain, the UAE, and Qatar are among the signatories of that document.

These countries depend on desalination for the majority of their daily water supply. Iran responded to the statement by naming their water infrastructure as a retaliatory target.

The threat pattern creates a cycle of destruction with no clear endpoint. Iranian hospitals could lose power while Gulf hospitals simultaneously lose water access.

Both scenarios would produce mass civilian harm within days of any exchange. Water, not oil, has become the resource that transforms this conflict into a humanitarian emergency.

TLDR:

• Resolv Labs’ USR minting contract was exploited, allowing 50M USR to be minted with only 100K USDC in a 500x flaw.
• USR dropped 74.2% to $0.257 before partially recovering to $0.85, leaving liquidity providers with heavy losses.
• PeckShield confirmed $80M worth of USR was minted, with over $4.55M already converted into approximately 9,100 ETH.
• Resolv Labs had not issued any official response as the DeFi community called for stronger minting contract audits.

Resolv Labs’ USR stablecoin faced a suspected exploit on Sunday around 2:21 AM UTC. An attacker reportedly minted 50 million USR using only about 100,000 USDC.

This caused USR to lose 74.2% of its value, dropping to $0.257. The token later recovered to approximately $0.85. Blockchain security firm PeckShield confirmed that roughly $80 million worth of USR was minted during the attack. Resolv Labs had not responded publicly as of the time of reporting.

Attacker Exploits Minting Contract to Drain Liquidity

The attack was carried out through the USR Counter contract. The attacker executed two swaps to mint approximately 80 million USR tokens.

This was done using only around $200,000 in total funding. Experts suspect a flaw in the minting logic or a compromised signer was responsible.

After minting the tokens, the attacker then dumped them across decentralized exchanges. KyberSwap and Velora were among the platforms used for the selloff.

Through those sales, the attacker collected over $17 million in USDC and USDT. Those proceeds were then swapped into approximately 9,100 ETH.

Crypto analyst @ai_9684xtpa flagged the incident on social media shortly after. The post noted that 100,000 USDC produced 50 million USR, a 500-times discrepancy.

The Resolv team had yet to respond at the time. That ratio pointed to a serious breakdown in the protocol’s minting mechanism.

Liquidity providers suffered heavy losses from the sudden price collapse. Warnings were also issued for related vaults connected to the protocol.

USR is a yield-bearing stablecoin backed by crypto money markets. Before the incident, the protocol held over $500 million in total value locked.

Market Response and Community Reaction

USR’s price fell sharply following the exploit. From its near-$1.00 peg, the token dropped to $0.257 within a short time. It then recovered to trade between $0.85 and $0.86. However, the recovery remained partial and did not restore the full peg.

PeckShield reported that about $80 million worth of USR had been minted through the attack. The attacker had also converted funds into roughly $4.55 million worth of ETH by early reports.

Blockchain trackers continued monitoring the associated wallet activity throughout. The pace of fund conversion pointed to a coordinated and deliberate effort.

As of the time of writing, Resolv Labs had not issued any official statement. Users were watching closely for potential refunds or an emergency protocol response.

The DeFi community raised questions about the minting contract’s audit history. Past incidents of a similar nature have triggered protocol shutdowns and governance votes.

USR’s exploit adds to a growing list of stablecoin-related security failures across DeFi. Protocols carrying large total value locked have repeatedly drawn targeting from bad actors.

The community continued calling for stronger safeguards around minting contracts. Real-time monitoring and thorough audits remain critical priorities for user protection.

TLDR:

• BONKfun’s domain was hijacked via social engineering on March 11, targeting its domain registrar directly.
  
• The attack deployed a wallet drainer, causing approximately $30,000 in total user losses over one week.
  
• The domain was fully recovered on March 18, with the platform securely relaunching on March 19.
  
• BONKfun will reimburse all affected users at 110% of their losses to cover opportunity costs incurred.

BONKfun, the Solana-based memecoin launchpad, is back online following a domain hijacking incident on March 11. Attackers used social engineering to target the platform’s domain registrar, gaining unauthorized access and deploying a wallet drainer.

The breach remained external to BONKfun’s internal systems throughout. Over roughly one week, users suffered approximately $30,000 in losses.

The team has since recovered the domain and relaunched the site, pledging to reimburse all affected users at 110% of their losses.

How the Social Engineering Attack Unfolded

The breach began when a malicious actor manipulated BONKfun’s domain service provider through social engineering.

This allowed the attacker to transfer the domain to an external registrar without authorization. The move effectively cut the team off from quick recovery options. It also enabled the deployment of a wallet drainer on the hijacked site.

Once the team identified the breach, they moved quickly to disable the site entirely. They coordinated with major wallet providers, including Phantom, Solflare, and MetaMask, to flag the domain as malicious.

Security organization @_SEAL_Org also assisted in spreading awareness rapidly. These combined efforts helped contain further damage to users.

BONKfun confirmed the incident did not compromise its internal systems, codebase, or team accounts. The domain service provider accepted responsibility for the unauthorized transfer.

This acknowledgment helped clarify where the vulnerability originated. It also reassured users that the platform’s core infrastructure remained intact.

The team released a detailed post on X, stating that the domain transfer “greatly inhibited” their ability to relaunch quickly and securely.

The statement outlined each step taken to address the breach. It also confirmed that security partners played a key role in early containment. Transparency remained central to the team’s communication throughout the incident.

Recovery Process and User Reimbursement Plan

The domain and its registration were fully transferred back around 5:00 PM Eastern Time on March 18. Full wallet provider functionality was then restored late on March 19.

This allowed BONKfun to safely relaunch the site with security measures in place. The recovery took approximately one week from the date of the initial attack.

Following the relaunch, several antivirus software providers continued to flag the main BONKfun domain. As a result, the team activated an alternative URL, letsBONK.fun, for affected users.

Both sites carry the same full functionality as the primary platform. The team is actively working to remove the remaining antivirus flags.

To address user losses, BONKfun announced a reimbursement plan at 110% of confirmed losses. The additional 10% accounts for opportunity costs incurred during the downtime period.

Total estimated losses across all affected users stand at approximately $30,000. This approach reflects the team’s commitment to accountability after the attack.

The incident serves as a reminder that social engineering remains a persistent threat in the crypto space. Domain registrar-level attacks can bypass even the most secure internal systems.

Platforms in decentralized finance must maintain strong communication with their infrastructure providers. BONKfun’s response offers a clear example of structured and transparent crisis management.

The U.S. Commodity Futures Trading Commission (CFTC) has sharpened its stance on using crypto as collateral in derivatives markets, releasing updated guidance that clarifies how crypto assets can be deployed within a pilot program launched last year. A Friday notice from the agency’s Market Participants Division and Division of Clearing and Risk responds to FAQs that emerged from December staff letters and lays out the operational and risk parameters for futures commission merchants (FCMs) participating in the pilot.

In its notice, the CFTC reminded FCMs that to participate they must file a formal notice with the Market Participants Division, including the date on which they will begin accepting crypto assets from customers as margin collateral. The guidance aims to harmonize crypto collateral practices with a broader regulatory framework being developed in coordination with the Securities and Exchange Commission (SEC), as the two agencies outline a more unified approach to crypto oversight.

Key takeaways

• Capital charges for crypto collateral align with SEC oversight: 20% for Bitcoin and Ether positions, and 2% for stablecoins used as collateral.
• Initial three-month window restricts eligible collateral to Bitcoin, Ether, or stablecoins, with weekly reporting requirements and a prompt notice for significant cybersecurity or system issues.
• After three months, other crypto assets may be accepted as collateral, subject to ongoing risk and reporting standards.
• Residual interest in customer segregated accounts may be funded only with proprietary payment stablecoins; other tokens cannot be used for that purpose.

Operational guardrails and the three-month sprint

The notice makes clear that the pilot is designed with risk controls in mind. Futures commission merchants who wish to participate must submit a formal participation notice that includes the anticipated start date for accepting crypto as margin collateral. The three-month initial phase places strict limits on the types of crypto eligible for collateral, restricting it to Bitcoin, Ether, and stablecoins. During this period, FCMs are also required to file weekly reports detailing the total crypto holdings across customer account types and to promptly report any material cybersecurity or system issues.

The three-month horizon serves a dual purpose. It allows the CFTC to observe how crypto collateral behaves in real-time market conditions under a controlled regime, while enabling market participants to build processes around risk management, custody, valuation, and operational controls. After the initial period, the rulebook opens the door to additional digital assets, expanding the universe of potential collateral as regulators gain confidence in the framework.

What changes for market participants and tokenized markets

Beyond the three-month mark, the pilot could permit a broader spectrum of crypto assets to be used as collateral, provided they meet the CFTC’s risk, custody, and governance standards. The notice also clarifies several nuanced points about where crypto and stablecoins can—and cannot—serve as collateral. Notably, crypto and stablecoins cannot be used as collateral for uncleared swaps. However, swap dealers may deploy tokenized versions of eligible assets for collateral if they satisfy regulatory requirements and preserve the same rights those assets confer in their traditional form.

Derivatives clearing organizations (DCOs) have their own set of allowances. They may accept crypto and stablecoins as initial margin for cleared transactions, again contingent on meeting CFTC standards related to minimal credit, market, and liquidity risks. Finally, as to residual interest in customer accounts, the guidance specifies that only proprietary payment stablecoins may be deposited for that purpose, excluding other cryptocurrencies from this particular use case.

In framing these rules, the CFTC underscored its intent to align its approach with the SEC’s ongoing crypto framework. The agency’s notice notes that capital charges for crypto collateral will be consistent with SEC practices, signaling a coordinated path rather than a patchwork of standalone rules. The collaboration between the agencies is part of a broader effort to create a stable, transparent regulatory environment that can accommodate the 24/7 nature of crypto markets while enforcing prudent risk controls.

Participants will be watching closely how this evolves in practice. The pilot’s design—beginning with widely traded assets like BTC, ETH, and stablecoins—reflects a cautious, first-step approach to integrating digital assets into traditional margin concepts. It also signals how regulators intend to balance the benefits of crypto-native features, such as rapid settlement and continuous trading, with the need to manage financial risk and ensure market integrity.

For traders, funds managers, and infrastructure providers, the framework offers clarity on how crypto collateral might be used in the near term. It also highlights the kinds of operational capabilities that firms must develop: robust custody solutions, reliable valuation methodologies for volatile assets, strong cybersecurity postures, and precise reporting protocols to monitor crypto holdings in customer accounts.

Industry participants will also be watching for details on how tokenized assets and stablecoins will fare under the evolving rules. Tokenization can, in theory, unlock more flexible collateral options, but it requires careful attention to governance, settlement finality, and legal rights. The CFTC’s emphasis on risk controls, alongside explicit limitations on residual interest and uncleared swaps, suggests a measured approach to expanding collateral acceptance while preserving market safety nets.

Overall, the guidance reinforces a midterm view: a calibrated expansion of crypto collateral capabilities that can gradually broaden the collateral toolkit for U.S. derivatives markets, anchored by risk-management discipline and regulatory alignment with the SEC.

Investors and market participants should monitor how this pilot progresses in the coming months, including any updates to asset eligibility, reporting requirements, or capital-charge methodologies. The three-month checkpoint will likely spur conversations about whether additional assets should qualify, how valuation and custody standards will be harmonized, and what that means for liquidity and funding costs in crypto-backed trading strategies.

As regulators continue to shape the playbook, the core question remains: can a robust, well-regulated framework unlock crypto collateral’s potential while preserving financial stability? The CFTC’s latest notice positions the industry at a pivotal juncture, where clarity and risk controls could unlock broader adoption in the years ahead.

For now, market participants should prepare for continued regulatory alignment with the SEC, stay alert to any shifts in asset eligibility, and ensure their internal controls and reporting capabilities meet the forthcoming standards if they plan to participate in the pilot.

A Nevada judge has temporarily blocked Kalshi from operating in the state, finding that state authorities are reasonably likely to prevail in a legal fight over whether the company’s event contracts violate Nevada gambling laws.

Carson City District Court Judge Jason Woodbury issued a temporary restraining order on Friday, siding with a Nevada Gaming Control Board motion to block Kalshi from operating in the state for 14 days.

“Prediction markets, to ​the extent they facilitate unlicensed gambling, are illegal in Nevada, and we have a statutory duty to protect the public,” Nevada Gaming Control Board Chair Mike Dreitzer said in a statement to Reuters.

Kalshi did not immediately respond to a request for comment.

The court’s decision comes after a federal appeals court on Thursday denied an emergency request by Kalshi to stay a federal court proceeding, allowing Nevada’s regulators to take action.

Nevada bars sports, election and entertainment event contracts

In his order, Judge Woodbury wrote that Kalshi was banned from offering sports, election and entertainment-related event contracts in Nevada.

He added that, in the record of the early stages of the case, such contracts are considered a “sports pool” under Nevada law, which Kalshi was not licensed to operate.

The Nevada Gaming Control Board sued Kalshi last month, asserting the company needed to be licensed by the state in order to offer its sports event contracts.

Kalshi argued that its contracts are under the exclusive jurisdiction of the Commodity Futures Trading Commission, an agency that has backed prediction markets that are fighting in multiple state courts over accusations of offering illegal gambling.

“The question of federal preemption in this regard is nuanced and rapidly evolving,” Judge Woodbury wrote in his motion, rejecting Kalshi’s argument. “At the moment, the balance of convincing legal authority weighs against federal preemption in this context.”

Related: Kalshi CEO fires back against Arizona criminal charges as ‘total overstep’

Judge Woodbury scheduled a hearing on April 3 to consider a motion for preliminary injunction against Kalshi.

Kalshi is being sued, or has launched its own legal action, against multiple states that have accused the prediction market of operating without a state license.

A Massachusetts state judge banned Kalshi from offering sports event contracts earlier this year, which was lifted after Kalshi appealed the decision.

On Tuesday, Arizona filed criminal charges against Kalshi, with the state’s Attorney General Kris Mayes alleging Kalshi is “running an illegal gambling operation,” which Kalshi CEO Tarek Mansour called a “total overstep.”

Magazine: When privacy and AML laws conflict — Crypto projects’ impossible choice