Network News

KELP DAO EXPLOIT: A cross-chain bridge holding nearly a fifth of a restaked ether token’s circulating supply just got drained, and the fallout is moving through DeFi faster than Kelp DAO can pause contracts. An attacker drained 116,500 rsETH (restaked ether) from Kelp DAO’s LayerZero-powered bridge at 17:35 UTC over the weekend, worth roughly $292 million at current prices and representing about 18% of rsETH’s 630,000 token circulating supply tracked by CoinGecko. LayerZero is a cross-chain messaging layer, or the infrastructure that lets different blockchains send verified instructions to each other. Kelp DAO is a liquid restaking protocol, which takes user-deposited ETH, routes it through EigenLayer to earn additional yield on top of standard Ethereum staking rewards, and issues rsETH as a tradeable receipt. The bridge that was drained held the rsETH reserve backing wrapped versions of the token deployed on more than 20 other blockchains. The attacker tricked LayerZero’s cross-chain messaging layer into believing a valid instruction had arrived from another network, which triggered Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address. Kelp’s emergency pauser multisig froze the protocol’s core contracts 46 minutes after the successful drain, at 18:21 UTC. Two follow-up attempts at 18:26 UTC and 18:28 UTC both reverted, each carrying the same LayerZero packet attempting another 40,000 rsETH drain worth roughly $100 million. — Shaurya Malwa Read more.

NORTH KOREA CRYPTO HEIST PLAYBOOK: Less than three weeks after North Korea-linked hackers used social engineering to hit crypto trading firm Drift, hackers tied to the nation appear to have pulled off another major exploit with Kelp. The attack on Kelp, a restaking protocol tied into LayerZero’s cross-chain infrastructure, suggests an evolution in how North Korea-linked hackers operate, not just looking for bugs or stolen credentials, but exploiting the basic assumptions built into decentralized systems. Taken together, the two incidents point to something more organized than a string of one-off hacks, as North Korea continues to escalate its efforts to hijack funds from the crypto sector. “This is not a series of incidents; it is a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You cannot patch your way out of a procurement schedule.” More than $500 million was siphoned across the Drift and Kelp exploits in just over two weeks. At its core, the Kelp exploit did not involve breaking encryption or cracking keys. The system actually worked the way it was designed to. Rather, attackers manipulated the data feeding into the system and forced it to rely on those compromised inputs, causing it to approve transactions that never actually occurred. — Margaux Nijkerk Read more.

AAVE AFFECTED BY KELP DAO HACK: An attacker exploited that setup by forging a transfer message that appeared valid. The system approved the transfer even though the tokens were never taken out of the sending chain, meaning new tokens were effectively created without backing, releasing 116,500 rsETH from the Ethereum-side bridge. Rather than selling the assets on the open market, the attacker deposited 89,567 rsETH into Aave as collateral and borrowed roughly $190 million in ETH and related assets across Ethereum and Arbitrum, according to the report. This left Aave exposed to collateral whose backing may be significantly impaired. Aave Labs said it moved quickly to contain the risk. Within hours, the protocol froze rsETH markets across its deployments, set loan-to-value ratios to zero, and halted new borrowing against the asset. The outcome now depends largely on how Kelp handles the shortfall. If losses are spread across all rsETH holders, the token would face an estimated 15% depegging (meaning the value of the staked tokens would not match the value of actual ETH), resulting in about $124 million in bad debt for Aave. If losses are instead isolated to Layer 2 networks, the impact would be far more severe, with bad debt rising to roughly $230 million and concentrated on networks such as Arbitrum and Mantle.— Margaux Nijkerk Read more.

COINBASE COMMISSIONS PAPER ON QUANTUM COMPUTING RISKS: A new report commissioned by Coinbase sounds a cautious, but urgent, alarm: Quantum computing won’t break crypto tomorrow, but the industry can’t afford to wait. The 50-page paper, authored by an independent advisory board that includes prominent cryptographers and academics like Dan Boneh of Stanford University, Justin Drake of the Ethereum Foundation and Sreeram Kannan of Eigen Labs, concludes that while today’s blockchains remain secure, a future “fault-tolerant quantum computer” capable of breaking widely used encryption is increasingly plausible, and preparation must begin now. In recent months, concerns around quantum risk have moved further into the mainstream. Google researchers have published estimates suggesting that a sufficiently advanced quantum computer could one day break Bitcoin’s cryptography. Major crypto ecosystems have already started mapping out their responses. The Ethereum Foundation has proposed new types of digital signatures that are designed to be safe against quantum computers, while Solana and others are experimenting with quantum-resistant wallet designs. The report stresses that current quantum machines are far from powerful enough to crack the cryptography underpinning Bitcoin, Ethereum and other networks. Breaking standard encryption would require vast computational overhead, a milestone still considered a major engineering challenge. — Margaux Nijkerk Read more.

In Other News

• A chunk of the Kelp DAO haul is no longer going anywhere. Arbitrum’s Security Council froze 30,766 ETH worth roughly $71 million on Monday night, moving funds linked to Saturday’s $292 million rsETH exploit into an intermediary wallet that can only be accessed through further Arbitrum governance action. The council said it acted on law enforcement’s input regarding the exploiter’s identity and executed the freeze “without impacting any Arbitrum users or applications.” The transfer completed at 11:26 p.m. ET on April 20, according to Arbitrum’s statement on X. The stolen funds are no longer under the control of the address that originally held them. — Shaurya Malwa Read more.
• A Polymarket contract on whether Kelp DAO will spread the losses from the weekend’s $292 million exploit beyond those directly affected is pointing to a clear answer: probably not. Bettors are giving a 14% chance that Kelp will “socialize the losses,” or implement a mechanism forcing rsETH holders on Ethereum, which wasn’t hit, to share the pain of users on other chains. The attackers drained roughly 116,500 rsETH from a LayerZero-powered bridge that held the reserves backing the token across more than 20 blockchains. That left parts of the system undercollateralized, with some holders effectively owning tokens no longer fully backed by ether (ETH). “Socializing the losses” would mean Kelp redistributes the shortfall across all rsETH holders, including those on the Ethereum mainnet, rather than leaving losses concentrated among users and protocols tied to the compromised bridge. The most widely cited precedent of this approach came in 2016, when Bitfinex imposed losses on all users after a $60 million hack, effectively mutualizing the hit to avoid shutting down. — Sam Reynolds Read more.

Regulatory and Policy

• April appears to be a lost cause for the crypto Clarity Act, but a U.S. Senate committee hearing sometime in May could keep the critical market structure legislation alive, as long as it can reach a final vote of the overall Senate by July, according to lobbyists and a lawmaker aide focusing on the market structure bill’s sluggish progress. The legislative calendar is running out of room for this year, but a Senate aide told CoinDesk that a potential new delay of a couple of weeks — allowing Republican Senator Thom Tillis to finish discussions with bankers over stablecoin-yield concerns — is not yet pushing this work past the point of no return. The aide also said that earlier negotiations over decentralized finance (DeFi) protections are effectively settled, leaving few other impediments in the way of a committee approval.One of the chief problems the crypto industry faces (if it can leap the stubborn hurdle of the banking sector’s objections about stablecoin rewards) is that the Senate Banking Committee hearing that the bill needs to clear would be only a first step of many. — Jesse Hamilton Read more.
• Tron creator Justin Sun sued World Liberty Financial, the stablecoin and crypto firm backed by members of U.S. President Donald Trump’s family, on Tuesday, alleging that the project had unfairly locked up his $WLFI holdings, made fraudulent misrepresentations, and threatened and defamed Sun. The lawsuit filed, which includes a line about Sun’s support for Trump himself, alleged that World Liberty’s leadership had engaged “in an illegal scheme to seize property” in the form of Sun’s tokens, which Sun alleged he had purchased after being solicited by the World Liberty team in 2024. “At that pivotal time for World Liberty, Mr. Sun invested $45 million to purchase $WLFI tokens from World Liberty not only because of the project’s claims that it would promote adoption of decentralized finance — an issue Mr. Sun cares deeply about and to which he has devoted much of his life’s work — but also because of the Trump family’s association with the project,” the suit said.— Nikhilesh De & Sam Reynolds Read more.

Calendar

• May 5-7, 2026: Consensus, Miami
• June 2-3, 2026: Proof of Talk, Paris
• June 8-10, 2026: ETHConf, New York
• Sept. 29-Oct.1, 2026: Korea Blockchain Week, Seoul
• Oct. 7-8, 2026: Token2049, Singapore
• Nov. 3-6, 2026: Devcon, Mumbai
• Nov. 15-17, 2026: Solana Breakpoint, London

Blockchains were built as public networks in the best tradition of open-source technology. But their future is private. And that future is arriving faster than most people realize.

This month, Tempo — the Stripe-backed payment blockchain that raised $500 million at a $5 billion valuation, with Visa, Mastercard, Paradigm, and UBS among its backers — published a detailed architectural proposal for private enterprise stablecoin transactions. Tempo is not a scrappy privacy-native project. It is arguably the most institutionally credentialed blockchain launch in years, built by people who deeply understand what banks, payment processors, and enterprises actually need. When a network with that pedigree makes privacy a launch-week priority, it isn’t a signal. It’s a verdict.

The question of whether or not institutional chains will be private has been settled. What remains is the harder one: what kind of privacy are we actually building?

The problem with public chains

Bitcoin solved a problem that had stumped computer scientists and bankers for decades: how to transfer value between strangers without a trusted intermediary. Ethereum took blockchains further, offering programmable value alongside value transfer — smart contracts that could encode agreements, automate settlement, and eliminate entire categories of middlemen. Then came stablecoins, which married programmability to the stability of the dollar, and from there, the migration of real-world assets to onchain protocols began.

Each wave has brought added institutional interest, capital, and ambition. And now, as regulatory clarity emerges, institutions are ready to deploy resources onchain.

But there’s one thing holding them back — a fundamental flaw that becomes more consequential the larger the numbers get.

Everything is visible. Every wallet. Every balance. Every transaction, in real time, is readable by anyone with a browser. In financial markets, this is not a feature. It is an existential problem. Imagine if every hedge fund’s positions, every corporate treasury’s holdings, every pension fund’s rebalancing trade appeared on a public screen the moment it was executed. Sophisticated counterparties would front-run. Competitors would map your strategy. Criminals would identify targets. The financial system as it exists today would seize up overnight.

Blockchains have been asking institutions to accept exactly that. Tempo’s announcement on April 16 is the clearest possible signal that institutions have finally said: no.

Architecture is destiny

Here is where the conversation gets more consequential — and more nuanced.

Tempo’s solution is Zones: private parallel blockchains connected to the main network. Within a Zone, participants transact privately. The public sees only cryptographic proofs of validity, not underlying data. Compliance controls travel with the token automatically. Assets remain interoperable with Tempo Mainnet. For enterprises running payroll, treasury operations, or settlement workflows, it is a thoughtful and practical design.

But Tempo’s privacy model is operator-visible. The Zone operator — an enterprise or infrastructure provider — sees all transactions within its Zone. The public sees nothing. The operator sees everything. For many regulated institutions, this is acceptable, and may even be required. But it means privacy is contingent on trusting an intermediary. You have moved the visibility problem; you have not eliminated it.

This is not a criticism of Tempo. It is a description of a genuine architectural choice — one with real consequences for anyone thinking carefully about risk.

Zero-knowledge cryptography offers a different path. ZK proofs allow a party to prove that a transaction is valid without revealing the underlying data. A new generation of ZK-native blockchains builds this privacy-preserving functionality into the execution layer itself. Accounts execute transactions locally, with the chain storing only a cryptographic commitment. Nothing sensitive ever touches a public ledger. Transaction history is not browsable. And crucially, no operator has a god’s-eye view — privacy is enforced at the base layer, not delegated to an intermediary.

If Bitcoin gave us trustless transfer and Ethereum gave us programmable trust, ZK-native blockchains offer verifiable privacy: the ability to prove that everything happened correctly without revealing what actually happened.

Compliance without full transparency

The obvious objection is regulatory. Privacy and compliance have long been framed as incompatible — oil and water. That framing is becoming obsolete.

Regulatory compliance does not require that everyone can see your transactions. It requires that the right parties, under the right conditions, can verify that your transactions were legitimate. That is a meaningful distinction, and it is one that ZK cryptography is uniquely positioned to enforce. Selective, programmable disclosure — revealing what regulators need to see, nothing more — is not a workaround. It is a more precise implementation of what compliance actually demands.

Tempo’s model handles this at the operator level. ZK-native approaches handle it at the cryptographic level. Both satisfy the compliance requirement. But they distribute trust very differently.

The question that matters

The financial industry knows it needs to move onchain. It now knows — Tempo’s announcement makes this undeniable — that it cannot do so on fully public infrastructure. The era of public-by-default blockchains as the assumed standard for institutional finance is ending.

What comes next depends on a choice the industry is only beginning to make clearly: privacy through trusted operators, or privacy through cryptographic guarantees that require no trust at all.

Both are legitimate answers. But they are not equivalent. The privacy model you choose determines your risk surface, your compliance posture, and your exposure to the failure modes of the intermediaries you depend on. Architecture is not a technical detail to be resolved later. It is the decision that determines everything else.

The question for the industry is not whether privacy. That debate is over.

The question is what sort of privacy — and who, if anyone, you are willing to trust with the view.

TLDR

• IO Global submitted nine treasury proposals for 2026 to support Cardano’s Leios scaling roadmap.
• The company requested just under 50% of the funding it sought last year.
• Voting on the Cardano treasury proposals will remain open until May 24.
• Leios is expected to enter testnet in June with a mainnet launch planned by late 2026.
• IO Global projected a 10% to 65% throughput increase under the Leios upgrade.

Input Output Global has filed nine treasury proposals for 2026 as it prepares the Leios scaling rollout. The company said it seeks just under 50% of last year’s funding request. Voting remains open until May 24, while the roadmap centers on Leios testnet progress and a planned 2026 mainnet launch.

Cardano Treasury Request Targets Core Upgrades

Input Output Global detailed nine proposals tied to core infrastructure, developer tools, and economic changes. The firm said its combined request equals just under 50% of the prior year’s ask. It confirmed that community voting will remain open through May 24.

The roadmap aligns with its 2030 Vision for network growth and higher transaction capacity. The consensus proposal stated, “Cardano must scale from today’s approximately 800,000 transactions per month to over 27 million.” It added that “Leios is the mechanism purpose-built to get there.”

IO Global expects Leios to enter testnet in June and plans mainnet deployment by late 2026. However, its public tracker shows development in mid-stage, with testnet progress near 24%. Specifications appear largely complete, while testing continues toward broader validation.

The company projected a 10x to 65x throughput increase under the Leios upgrade. It said the change will preserve Cardano’s existing consensus mechanism. IO linked the scaling effort to support for DeFi, real-world assets, and enterprise use cases.

Layer 2 and Developer Reforms Expand Roadmap

IO Global placed Layer 2 initiatives within the broader scaling plan and named Hydra and Midgard rollup. The proposal stated that “only with both does Cardano have a credible L2 story.” It positioned the two systems as complementary components of the network’s expansion.

The company also requested 62.1 million ADA for ongoing network maintenance and operations. It valued the amount at over $15.8 million based on current market prices. IO said the funds will support node upgrades, monitoring tools, and security systems.

Several proposals addressed developer experience and onboarding challenges within the ecosystem. IO described the current environment as “fragmented” and said it deters growth. A six-month initiative will streamline tooling and reduce onboarding costs.

Internal research showed many developers leave due to high setup demands and unclear processes. One proposal aims to expand formal verification across smart contract development. IO said it will improve Plutus tooling so users avoid “a PhD and three months of setup.”

Other measures focus on user interaction and new economic functions within the protocol. Planned upgrades include “Babel Fees,” which would allow transaction fees in tokens other than ADA. The company also proposed wallet-based micro-fees to create fresh revenue streams.

A separate proposal called Pogun targets bitcoin liquidity within the ecosystem. The document described BTC as “the world’s most valuable digital asset” that remains “almost entirely idle.” IO said Cardano could serve as a credit and yield layer for that capital.

The crypto industry is frequently finding bankers involved in its top-priority regulatory efforts, and this time, a coalition of bank trade associations has asked the U.S. Department of the Treasury to extend the window in which the public can weigh in on implementation of last year’s Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act.

In a letter sent this week to the Treasury Department and the Federal Deposit Insurance Corp., bankers in the U.S. are asking that three different GENIUS Act rule proposals get extended comment periods, at least 60 days after another rule effort (at the Office of the Comptroller of the Currency) is finished. The OCC’s push to implement its rule for policing stablecoin issuers is meaningful to the outcome of other rules being pursued at the Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN), plus a related rulemaking at the FDIC.

All the efforts are “directly contingent on the OCC’s final framework,” the bankers contend. The collective efforts, in addition to regulatory proposals that haven’t yet emerged from the Federal Reserve and other agencies, “represent a body of regulatory work of extraordinary scope and complexity.”

The banking organizations, including the American Bankers Association and the Bank Policy Institute, said that their comments “will necessarily be more comprehensive, and therefore more useful to the agencies, if we have sufficient time to evaluate the proposed rules together and to evaluate each against the finalized OCC framework.”

The GENIUS Act is meant to be in place by 2027, though it’s not unusual for federal agencies to grant extensions of comment periods on complex rules. The Treasury Department didn’t immediately respond to a request for comment on the bank industry’s request.

The same bankers are also embroiled in a stablecoin-related debate with the crypto industry that’s so far managed to delay the Digital Asset Market Clarity Act for months, and potentially jeopardize its potential for becoming law this year.

Read More: U.S. Treasury proposes demands that stablecoin firms be set to police bad transactions

Even after more than a decade and a half, the identity of Bitcoin’s pseudonymous creator, Satoshi Nakamoto, is still an active mystery that provokes discourse and disagreement.

In the last couple weeks, a New York Times piece authored by investigative journalist John Carreyrou suggested that Satoshi is in fact Adam Back, while the recent documentary Finding Satoshi pegged a two-person team, namely Hal Finney and Len Sassaman.

Protos has reviewed the evidence pointing to several of the internet’s favored candidates for this illustrious role and laid out our findings below.

Adam Back

Adam Back, the chief executive officer (CEO) of Blockstream, has often been labeled as a likely candidate for Satoshi.

Among the reasons for this is his identity as a cypherpunk, an online community which believed in the beneficial effects of freedom technology tools developed using cryptography.

Satoshi generally appears to be a cypherpunk, or at the very least to be sympathetic to cypherpunk ideas, regularly citing and conversing with others in the community.

Back was also behind HashCash, another cryptographically based digital cash technology that was cited by Satoshi.

Notably, there exist emails that Back has shared in court cases which seem to show Satoshi reaching out to Back to make sure that he appropriately cites the HashCash paper. This has led Carreyrou to ask us to consider if “Mr. Back…sent those emails to himself as a cover story.”

🔍 Reading Satoshi’s entrails

Carreyrou’s reporting also emphasized the fact that Back shared certain stylistic markers with Satoshi.

Among these similarities were certain phrases like “backup” and “human friendly” as well as inconsistent hyphenation in words like e-mail/email.

Despite these stylistic similarities, there are still differences, with Carreyrou noting, “Mr. Back made a lot of typos and had a rambling style when he posted to mailing lists, while Satoshi’s writing was crisp and mostly typo-free.”

Others, like YouTuber BarelySociable, have also suggested that Back is the most likely Satoshi candidate.

Back strongly denies being Satoshi.

He was also briefly considered as a candidate by Finding Satoshi; however, it concluded he didn’t post at the appropriate times to be Satoshi.

Hal Finney

Hal Finney was a cryptographer who was the first person to receive bitcoin (BTC) from Satoshi.

Like Back, he seems to have many of the necessary skills, even working on a previous digital cash, Reusable Proofs of Work.

Finney was the first person to participate in a BTC transaction with Satoshi.

Russia moved closer to formal crypto regulation after lawmakers advanced a key digital currency bill in its first reading. The proposal sets a timeline for licensed trading and stricter controls. It outlines phased enforcement starting in 2026 and extending into 2027.

Russia Advances Licensed Crypto Framework

The State Duma approved draft bill No. 1194918-8 during its first reading this week. The legislation defines a core structure for digital currency operations across Russia. It places crypto trading under the supervision of the Bank of Russia.

The proposal allows residents to buy and sell crypto through approved intermediaries starting July 2026. However, it bans unlicensed platforms from operating by July 2027. Authorities aim to shift activity into regulated channels and reduce informal trading networks.

Lawmakers also introduced related bills alongside the main framework. Another draft, No. 1194929-8, passed its first reading during the same session. Together, these measures outline a broader plan to reshape the domestic crypto market.

Key Rules Target Retail Access and Market Limits

The bill sets strict eligibility rules for digital assets available to retail users. Authorities limit access to highly liquid cryptocurrencies meeting defined thresholds. These thresholds include market capitalization, trading volume, and operational history.

Assets must maintain an average capitalization above five trillion rubles over two years. They must also show daily trading volume above one trillion rubles during that period. Additionally, each asset must have at least five years of trading history.

Retail participants must pass a qualification test before accessing crypto markets. Moreover, the bill caps annual purchases at 300,000 rubles through a single intermediary. These rules aim to control exposure while maintaining supervised participation.

The legislation also permits residents to use foreign accounts for crypto purchases. However, users must report all such transactions to tax authorities. At the same time, the law continues to ban crypto payments inside Russia.

Enforcement Plans Face Legal and Industry Concerns

Lawmakers introduced separate drafts to define penalties for violations under the new system. Draft No. 1209607-8 proposes criminal liability for unlicensed crypto services. It also mandates registration with the central bank for all operators.

However, the Supreme Court of Russia reviewed the proposal and declined support in its current form. The court stated that enforcement rules depend on the main framework. It noted that penalties cannot function without a finalized regulatory base.

This response signals delays in implementing strict enforcement mechanisms. Authorities must first finalize the core digital currency legislation. Only then can supporting measures take full effect across the system.

Meanwhile, industry participants continue to assess the proposed structure. Some local stakeholders warn that strict controls could shift activity outside regulated platforms. They argue that excessive limits may push trading into informal channels instead of formal markets.

Russia has maintained a cautious stance toward crypto since its 2021 digital assets law. That framework allowed ownership but banned payments using digital currencies. The new legislative package builds on that approach while tightening oversight and market access.

Consequently, the current bill represents a significant step toward centralized control of crypto activity. It reflects a policy direction focused on supervision, compliance, and restricted participation. Further readings and amendments will determine the final shape of Russia’s crypto market structure.