Kelp DAO claims that LayerZero personnel approved the 1-of-1 verifier setup, a decision LayerZero has since cited as the reason a North Korea-linked attacker drained roughly $292 million from Kelp’s rsETH bridge.

The claim runs counter to LayerZero’s April 19 postmortem, which said Kelp’s rsETH application relied on LayerZero Labs as its sole verifier and that the setup “directly contradicts” LayerZero’s recommended multi-DVN model.

Kelp’s memo says LayerZero personnel reviewed its configurations for over 2.5 years and in eight integration discussions, without warning that a 1-of-1 setup posed a material security risk.

The memo, titled “Setting the Record Straight Around the LayerZero Bridge Hack,” includes screenshots of Telegram exchanges that document LayerZero’s awareness and lack of objection to Kelp’s verifier setup.

One screenshot shows a LayerZero team member saying: “No problem on using defaults either — just tagging [redacted] here since he mentioned you may have wanted to use a custom DVN setup for verifying messages, but will leave that to your team!” Kelp says the “defaults” referenced in the exchange were the 1-of-1 LayerZero Labs DVN configuration later cited by LayerZero as the application-level setup that enabled the exploit.

CoinDesk could not independently authenticate the screenshot.

LayerZero’s templates

Kelp also points to LayerZero’s bug bounty scope, OFT Quickstart and developer examples as evidence that LayerZero treated verifier-network choices as application-level configuration while showing builders a one-DVN setup.

LayerZero’s published bug bounty scope on Immunefi excludes from rewards “impacts to OApps themselves as a result of their own misconfiguration,” including verifier networks and executors.

The LayerZero OFT Quickstart and the official OFT example configuration on GitHub show LayerZero Labs as the required DVN, with no optional DVN set.

Kelp’s memo cites an April 19 post from Spearbit security researcher Sujith Somraaj, in which Somraaj said he had submitted a bug bounty report describing the same attack pattern and that LayerZero rejected it.

“My bug bounty: not a vuln, requires all DVNs,” Somraaj wrote on X. “Their deployment: removes the ‘all’ part. Hackers: collects $295M bounty instead.” Somraaj is a prior LayerZero auditor, according to his Cantina profile.

Kelp moves to Chainlink

Kelp also said it is moving rsETH off LayerZero to Chainlink’s Cross-Chain Interoperability Protocol. The shift moves rsETH from LayerZero’s OFT standard to Chainlink’s Cross-Chain Token standard.

The exploit drained 116,500 rsETH, worth roughly $292 million, from Kelp’s LayerZero-powered bridge. Two additional forged transactions totaling more than $100 million were signed and processed by the LayerZero Labs DVN before Kelp paused its contracts, the protocol said.

LayerZero said attackers are likely linked to North Korea’s Lazarus Group, who accessed the list of RPCs used by the LayerZero Labs DVN, compromised two RPC nodes and swapped out the binaries running on them.

The attackers then launched a DDoS attack against uncompromised RPC nodes, forcing a failover to the poisoned ones. LayerZero said the DVN then confirmed transactions that had not occurred.

Kelp argues the 1-of-1 setup was widespread. CoinGecko, citing Dune Analytics data, said 47% of roughly 2,665 active LayerZero OApp contracts ran a 1-of-1 DVN configuration over a 90-day period ending around April 22, with more than $4.5 billion in associated market value exposed to the same class of risk.

LayerZero’s postmortem said the protocol “functioned exactly as intended.” The company said it would no longer sign messages for any application running a 1-of-1 configuration, a policy change that took effect after the hack.

Kelp alleges that its team had to flag the exploit to LayerZero rather than the other way around, raising questions about LayerZero’s monitoring.

The memo also alleges substantial overlap in addresses granted ADMIN_ROLE on both the LayerZero Labs DVN and the Nethermind DVN, listing ten on April 8, 2026 and five additional on February 6, 2025. CoinDesk has not independently verified the onchain claim.

LayerZero did not respond to a request for comment by publication.

On at least two integrated chains, Dinari and Skale, the LayerZero Labs DVN is still listed as the only available attestor, according to the documentation.

Crypto asset ETPs just notched a fifth straight week of inflows, lifting five-week net flows above $4B and pushing AUM near $155B despite sharp midweek outflows.

CoinShares said that digital asset ETPs took in $117.8 million last week, extending their inflow streak to five weeks and bringing cumulative inflows over that period to more than $4 billion, as total industry AUM climbed to around $155 billion.

Inflows mask sharp intraweek reversal

Beneath the headline, however, flows were choppy. From Monday through Thursday, products collectively saw $619 million in net outflows, before a $737 million influx on Friday alone swung the weekly balance back into positive territory, a pattern CoinShares interpreted as a late‑week rebound in risk appetite.

Regionally, U.S. crypto ETP inflows slowed to about $47.5 million — a steep deceleration compared with roughly $1.1 billion the previous week — while Germany and Canada posted steadier gains of $43.8 million and $16 million, respectively, helping keep the global tally in the green.

CoinShares noted that only four assets saw meaningful inflows last week, down from nine in prior reports, which it said reflected “a significant weakening in sentiment midweek” before buyers returned to close out the period.

Bitcoin ETFs dominate while Ethereum stumbles

By asset type, Bitcoin-linked products once again led the pack, attracting $192.1 million in net inflows over the week, with U.S. spot ETFs accounting for roughly $162.8 million of that figure according to flow trackers cited in the report.

Those flows add to year‑to‑date Bitcoin ETP inflows that already exceeded $4 billion by late April, with CoinShares previously highlighting U.S. spot ETF demand as the primary driver behind the recent five‑week inflow streak.

Ethereum products moved in the opposite direction, suffering $81.6 million of net outflows as traders rotated away from ETH exposure, a reversal from earlier weeks in April when Ether ETPs enjoyed three consecutive weeks of inflows above $190 million.

CoinShares analysts suggested that the narrowing set of assets attracting fresh capital — combined with the midweek outflows and Friday’s outsized rebound — indicates a fragile but still positive backdrop, where institutional investors are selectively adding Bitcoin risk while remaining cautious on the rest of the market.

Australian rapper Iggy Azalea has been hit with a class action lawsuit accusing her of falsely promoting the use cases of her cryptocurrency MOTHER and causing investors financial losses. 

Azalea, real name is Amethyst Amelia Kelly, was named today by crypto legal firm Burwick Law in a suit filed in the New York Southern District Court.  

The suit details how the rapper promoted MOTHER as an exclusive means of accessing her online casino, MOTHERLAND, and as a means of securing discounts with mobile firm Unreal Mobile. 

However, it claims that the casino was never entirely dependent on MOTHER, and often dealt with stablecoin tether (USDT). It also notes that the Unreal Mobile MOTHER integration never occurred.

One year of $MOTHER 🫶✨ What we’ve built speaks for itself. Today marks more than just a milestone, it’s the start of something that’s about to ignite.. 🔥🔥 pic.twitter.com/4L3EtT02c8

— IGGY AZALEA (@IGGYAZALEA) May 28, 2025

Read more: N3on promised ‘up, up, up’ memecoin without any risk — it’s down 96%

Another luxury marketplace launched by Kelly, Dream Vault, made similar exclusivity promises regarding MOTHER’s usage, but these were never present, according to the lawsuit. 

Overall, the lawsuit alleges that the promises surrounding MOTHER’s utility uses, market support, and access rights were “limited, incomplete, contradicted, temporary, or not delivered.”

It also claims that buyers were misled, and that Kelly misrepresented the token’s economics and the amount of tokens owned by insiders. She claimed to only hold 3% of the supply. 

However, crypto analysts like Bubblemaps noted that 20% of the supply was bought by insiders before Kelly’s public launch, and they sold their holdings for $2 million.

The lawsuit’s various claims for relief accuse the defendants of deceptive practices, false advertising, negligent misrepresentation, and unjust enrichment. It seeks various compensatory damages to cover the losses the victims have allegedly suffered. 

Burwick Law’s Azalea suit shows signs of AI usage

Burwick Law was recently forced to apologise for and correct various citations and grammatical errors, including multiple misplaced quotation marks, in its lawsuit against memecoin platform Pump Fun.

The firm wrote that the errors “do not affect any substantive legal argument in the opposition,” and that it “regrets these errors and any inconvenience to the court or opposing counsel.”

However, these flaws could point to signs of potential AI usage, something which also appears to be present in its Azeala lawsuit.

Read more: ‘Hawk Tuah’ star pulled into expanding memecoin lawsuit

Indeed, the suit is littered with complex sentence structures, colons, and em dashes. There are also multiple short sentences that open paragraphs while adding little to no extra information.

Advertisement

Protos has reached out to Burwick Law and Azalea’s talent agency, United Talent Agency, for comment and will update this piece should we hear anything back.

Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.

Federal prosecutors are recommending a light sentence for Roni Cohen-Pavon, the former chief revenue officer of defunct cryptocurrency lending platform Celsius.

In a Monday letter filed in the US District Court for the Southern District of New York (SDNY), US Attorney Jay Clayton cited Cohen-Pavon’s “substantial assistance” to the government, by being prepared to testify against former Celsius CEO Alex Mashinsky.

Prosecutors did not request a specific amount of time for the former chief revenue officer to spend in prison, instead asking the judge to consider the sentencing guidelines for an “appropriate sentencing reduction for a defendant who has rendered substantial assistance.”

“As soon as he pled guilty, Cohen-Pavon’s cooperation was public and known to Mashinsky,” said Clayton. “Cohen-Pavon’s cooperation was likely a significant factor in Mashinsky’s decision to plead guilty a few months prior to his January 2025 trial date.”

Excerpt from US Attorney’s letter in Cohen-Pavon sentencing. Source: PACER

Cohen-Pavon pleaded guilty to fraud and conspiracy to commit price manipulation related to Celsius’s CEL token in September 2023 as part of his role in the crypto lending platform’s activities that led to the loss of billions of dollars when the company collapsed in 2022. He had been scheduled to be sentenced before Judge John Koeltl on May 7, but on Monday the judge moved the sentencing hearing to May 13.

Related: Celsius founder Alex Mashinsky settles FTC case with $10M payment

Mashinsky, the public face of Celsius and one of the most prominent figures in the cryptocurrency industry at the time, was sentenced to 12 years in prison in May 2025 after pleading guilty to commodities and securities fraud. Many experts saw the fall of Celsius as intertwined with the 2022 crypto market downturn that resulted in the collapse of several exchanges, including FTX and Voyager Digital.

Cohen-Pavon’s lawyers asked for time served ahead of his sentencing hearing, saying that the former Celsius executive took “full responsibility for his conduct and the harms caused by his participation in the CEL token manipulation scheme.”

No new trial for former FTX CEO

The sentencing hearing, expected to wrap up the criminal cases associated with Celsius, will come after another SDNY federal judge denied former FTX CEO Sam Bankman-Fried’s request for a new trial. Bankman-Fried, also known as SBF, asked for a new trial by claiming that the judge overseeing his 2023 trial, Lewis Kaplan, showed “manifest prejudice” during the proceedings. He still awaits the results of a motion to overturn his conviction and sentence in appellate court.

Magazine: How to fix suspected insider trading on Polymarket and Kalshi

Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently.

The Crypto Fear and Greed Index hit 50 on Tuesday, measuring “neutral” for the first time since Jan. 17. This shift ended a 108-day stretch dominated by negative sentiment. The index gauges market sentiment using volatility, momentum, trading volume, and social signals. A score below 25 signals “extreme fear” or risk aversion, while 26–49 reflects cautious positioning or “fear,” with higher readings indicating improving investor confidence. 

Crypto Fear and Greed Index. Source: Alternative.me

The index’s move to 50 marks its first neutral score since mid-January and follows a steady recovery in the total crypto market capitalization, which rose 5.45% in May. Since March, the market has expanded by 16.51%, climbing to $2.66 trillion from $2.28 trillion.

TOTAL market cap on the one-month chart. Source: Cointelegraph/TradingView

The positive shift in sentiment aligns with Bitcoin’s attempt to stabilize above the $81,000 level. Crypto analyst Darkfost noted that BTC sentiment is turning more constructive as the price tests higher levels. The analyst added that a separate sentiment index, ranging from -100 to +100, has also edged into the greed zone. This indicates that investor confidence is improving, with a growing preference to hold BTC rather than exiting positions.

Bitcoin unified sentiment index. Source: CryptoQuant

January showed a similar shift in sentiment before the momentum faded. Darkfost pointed to the current phase as a potential pivot, with investor behavior shaping the next move.

Related: Bitcoin ‘supercycle’ or a bear market rally? BTC breaking $81K has traders at odds

Stablecoin outflows may stall momentum 

Binance stablecoin netflows have recorded a cumulative outflow of $11.8 billion since April 25. This metric tracks the movement of stablecoins into and out of the exchange and is often used as a proxy for available buying power.

Positive net flows signal capital entering the exchanges, often associated with accumulation. A negative net flow indicates capital leaving, which can reduce liquidity for spot crypto purchases.

Binance stablecoin netflows. Source: CryptoQuant

Recent data shows a sustained drainage phase, with daily outflows exceeding $1.5 billion across multiple sessions. Earlier in April, Binance saw consistent inflows as Bitcoin climbed from $74,000 toward $78,000. That inflow cycle has now reversed.

Market analyst Crazzyblockk noted that the earlier buildup of stablecoin reserves helped fuel the upward movement. The current outflow trend suggests this pool of deployable capital has thinned in the short term, potentially tempering the bullish momentum for BTC and other crypto assets. 

Related: Crypto products post 5th straight week of inflows despite mid-week selloff

This article is produced in accordance with Cointelegraph’s Editorial Policy and is intended for informational purposes only. It does not constitute investment advice or recommendations. All investments and trades carry risk; readers are encouraged to conduct independent research.

The Tennessee Bankers Association (TBA), a trade group representing the state’s commercial banks, has selected Stablecore as a preferred technology provider for digital asset services, highlighting growing interest among regional lenders in crypto infrastructure.

In a Tuesday announcement, the TBA said Stablecore will provide infrastructure that enables community and regional banks to offer products such as stablecoins, tokenized deposits and digital asset-backed lending through their existing systems.

The endorsement gives Stablecore exposure to the association’s roughly 175 member institutions, potentially accelerating adoption among smaller banks that lack in-house digital asset capabilities.

The partnership reflects a broader trend among traditional financial institutions of seeking third-party providers to integrate crypto-related services rather than building the infrastructure internally.

Stablecore develops backend infrastructure that allows banks to issue and manage tokenized assets, including stablecoins and deposit tokens, while handling compliance and integration with core banking systems.

As previously reported by Cointelegraph, Stablecore recently joined the Jack Henry Integration Network, which provides digital banking technology to around 1,670 banks and credit unions across the United States.

Related: Crypto Biz: Capital has no consensus

Banks eye digital assets as US lawmakers debate market structure rules

TSA’s endorsement of Stablecore comes as more regional lenders look to roll out digital asset services, even as US lawmakers continue to debate the regulatory framework.

Tennessee’s junior US Senator Bill Hagerty, a member of the Senate Banking Committee, said last month that there is “still a lot more work to do” before Congress can advance comprehensive market structure legislation. 

Meanwhile, Senator Thom Tillis told reporters last week that he plans to push the Senate Banking panel to take up crypto market-structure legislation when lawmakers return to session on May 11.

Proposed bills aim to clarify how stablecoins are issued and supervised, which could give banks a clearer path to offering tokenized deposits and related services.

Source: Eleanor Terrett

At the same time, banking groups continue to raise concerns about stablecoin design, particularly whether issuers should be allowed to offer yield or interest. Industry advocates argue that recent compromises fall short of fully restricting yield-bearing stablecoins, potentially blurring the line between bank deposits and digital assets.

The Independent Community Bankers of America last month called on Congress to ensure the measure addresses concerns with what it called “the harmful impact on local economies of allowing crypto exchanges and other intermediaries to pay interest or yield on payment stablecoins.”

Related: Key US senator lifts block on Trump’s Fed pick Kevin Warsh

Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently.

The Bullish acquisition of Equiniti, announced today, values the transfer agent at $4.2 billion

The Bullish acquisition of Equiniti, announced on May 5, positions the crypto exchange as a core piece of infrastructure for tokenized securities markets. Equiniti currently serves as a transfer agent for 3,000 major companies and manages records for approximately 20 million shareholders, giving Bullish immediate access to the institutional backbone of traditional equity markets. Bullish described the deal as creating “the global transfer agent for tokenized securities.”

Transfer agents occupy a critical position in capital markets. They maintain official records of share ownership, process dividend payments, and manage corporate actions like stock splits. Acquiring one at Equiniti’s scale gives Bullish a direct line into the ownership data that tokenized securities need to function at institutional grade.

What Equiniti’s client base means at scale

The deal arrives as the regulatory and institutional infrastructure for tokenized securities is rapidly taking shape. Nasdaq won SEC approval to trial tokenized stock trading in March 2026, and the Federal Reserve issued guidance on how banks should treat tokenized securities, establishing the regulatory framework that makes deals like this commercially viable.

Bullish’s move is larger in ambition than either of those. Buying a traditional financial infrastructure firm and reorienting it around tokenization is a bet that the next phase of capital markets runs on blockchain rails, and that owning the transfer agent layer is the most defensible position in that transition.

A transfer agent that handles 20 million shareholders does not just hold records. It holds the relationships, the legal registrations, and the operational history that tokenized equity issuers will need to port onto blockchain infrastructure with regulatory confidence.

Tokenized stocks have already reached a $1.2 billion market cap as institutional interest accelerates, with Nasdaq, Securitize, and Ondo Finance all building competing infrastructure. Bullish’s acquisition of Equiniti gives it a structural advantage none of those competitors can replicate quickly: a working transfer agent with 3,000 existing corporate clients and 20 million shareholder records already in place.

Bitcoin Core developers today disclosed a bug that has allowed miners to remotely crash and execute code on other people’s nodes.

The vulnerability, CVE-2024-52911, has affected Bitcoin Core 0.14.1 through 28.4. Developer Cory Fields responsibly disclosed and helped patch the high severity error via Pull Request (PR) 31112.

Had a miner wanted to utilize the dark trick, they could have executed software code on assorted nodes across the globe.

Fortunately, the bug remained obscure and likely not utilized due to its incredibly expensive attack vector.

Specifically, the attack required a miner to direct electricity-guzzling hashpower toward mining special types of blocks. A guaranteed opportunity cost, these invalid blocks could not become eligible for an actual coinbase reward to recoup the miners’ electricity costs.

Still, the mechanism of attack is easy to understand, albeit expensive to conduct.

We’ve been publishing Bitcoin Core security advisories for ~2 years now, and (afaik) we just disclosed the first ever memory safety issue: A use-after-free in the validation engine.

Credit to Cory Fields from the DCI for finding and reporting.

— Niklas Gögge (@dergoegge) May 5, 2026

Advertisement

A miner that produced a specially crafted block with sufficient proof-of-work could either crash victim nodes and/or use the crash to overtake its memory for remote code execution.

Bitcoin Core admitted that remote code execution was possible, although it did not cite specific examples of it occurring. It highlighted not only its cost and old age, but also the constraints on block data that have made it historically unlikely that miners engaged in meaningful episodes of puppeteering.

Old Bitcoin nodes still at risk of bug

Bitcoin Core’s advisory describes the bug as a script interpreter crash. During block validation, Bitcoin Core software pre-calculates and caches transaction input data, then dispatches script validation work to background threads that use computer memory.

If subjected to a CVE-2024-52911 attack, the node could keep reading from its cached memory after that data had already been freed from memory by another process.

Because this attack is a use-after-free memory bug, remote code execution is possible during this abnormal memory state.

In particular, remote code execution could occur when the node’s background script thread read cached, precomputed transaction data after it had been destroyed by a script validation, CScriptCheck.

Because upgrading a Bitcoin full node is voluntary and software updates are not automatic, a not insignificant minority of the network has delayed upgrading to version 29 (v29) or above. 

Specifically, according to one popular estimate, as much as 43% of Bitcoin nodes are still running vulnerable full node software based on pre-v29 code.

Read more: Bitcoin Core devs finally patch 5-year old disk fill bug

Responsible disclosure in 2024

As early as November 2024, Cory Fields detected and privately reported the bug.

Four days after detection, Pieter Wuille pushed a fix proposal as PR 31112, titled “Improve parallel script validation error debug logging.” 

The advisory purposefully read like a mundane, maintenance-style plumbing fix. Raising no alarm bells, it fixed Bitcoin Core’s check queue return handling and script validations.

Advertisement

Quickly, the PR by Fields and Wuille gained technical consensus for a merge into production by December 2024. Bitcoin Core 29.0 shipped with the fix by April 2025, and the final vulnerable release line, versions 28.x, reached end-of-life on April 19, 2026.

Now that node operators have had many months to upgrade, and in keeping with a policy in recent years of publicly disclosing old, previously secret bug fixes, Bitcoin Core finally announced the bug today on its website.

Bitcoin Core developer Niklas Gögge correctly noted that this is “the first ever memory safety issue” bug in Bitcoin Core. He thanked Fields for his responsible disclosure.

Bitcoin’s consensus rules were not changed by the bug fix. The bug was in node software and its use of computer memory checks, and the fix is already in current Bitcoin Core releases v29 and later.

Advertisement

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.