Crypto in Transition: DeFi Exploits and Perpetuals Go Onshore [FP Weekly 22, 23]

Here’s what happened last week.

1. Major News

[Institution] CFTC Approves the First Bitcoin Perpetual Futures in the US

What Happened?

The US Commodity Futures Trading Commission (CFTC) approved KalshiEX to list the Bitcoin perpetual futures contract BTCPERP on May 29. BTCPERP is a futures contract referencing the Bitcoin spot price with no expiration date. The CFTC issued the approval order under Section 5c(c)(4) of the Commodity Exchange Act and Regulation 40.3, finding that the contract satisfies the core principles applicable to a designated contract market (DCM).

Perpetual futures are the largest product category in the global crypto derivatives market, accounting for more than 70% of centralized exchange trading volume, yet most of that activity has taken place in a regulatory gray zone. This is the first time a registered exchange has directly listed a perpetual futures contract within the US regulatory perimeter.

Alongside the approval order, the CFTC also issued a policy statement and two no-action letters that day. One allows US customers of Coinbase to access perpetual futures products on Deribit, the Dubai-based derivatives exchange that Coinbase acquired, and it also addressed how US brokers can offer customers perpetual futures contracts on non-US exchanges.

This approval aligns with the Trump administration’s stance on onshoring crypto. CFTC Chairman Mike Selig stated shortly after taking office that he would bring perpetual futures products into the US regulatory perimeter, and described this action as the fulfillment of that commitment. However, this approval rests on no-action letters and a policy statement, and did not go through the formal rulemaking process. There is room for the policy direction to shift if the composition of the Commission changes.

Researcher’s Comment

This approval makes visible the US intent to bring the largest liquidity market in crypto trading inside the regulatory perimeter. Perpetual futures account for more than 70% of crypto derivatives trading, but that volume has been concentrated on exchanges outside the regulatory perimeter such as Binance, Bybit, and Hyperliquid. The CFTC opening a path for registered exchanges is an attempt to bring this liquidity back into US-regulated infrastructure.

The problem is that perpetual futures brought inside the regulatory perimeter cannot take the same form as offshore products. Perpetual futures products on offshore exchanges drew in retail traders with leverage of 50 to 100x or more and loose KYC as their strengths. By contrast, US products listed on a DCM are likely to be subject to leverage caps, position limits, and full KYC/AML. As a result, what has entered the US is a regulation-friendly, reworked version of perpetual futures, and whether this product can actually win back the volume that flowed to venues outside the regulatory perimeter is expected to be a separate question.

In this context, the primary demand for regulated perpetual futures lies more with institutions than with retail. For institutional investors, adoption of perpetual futures as useful market infrastructure for hedging and price discovery is growing. For example, they can hedge price movements in held assets without rolling over expirations, and they can provide a continuous price discovery function even for assets that have no public trading market. SPACEX-USDH, listed on Hyperliquid the same week, tracked the corporate valuation of the privately held company SpaceX, which can be seen as an early example of this kind of price discovery attempt.

However, US institutions have until now been effectively shut out of this perpetual futures market. Some set up separate entities outside the US to gain access, and some used non-US exchanges directly while absorbing regulatory uncertainty. With this action, institutional investors gain a path to access perpetual futures products through a CFTC-regulated futures commission merchant (FCM).

That said, regulation reduces counterparty risk and operational opacity, but does not eliminate the market risk inherent in the product itself. Perpetual futures remain a product based on leverage and funding rates, and are vulnerable to sharp price swings when liquidity is thin. Even in the SPACEX-USDH case mentioned above, a single large position absorbed thin liquidity, producing a flash crash with about $1.5M liquidated within 30 minutes. In effect, what this regulatory clarification adds is market-operation-level controls such as leverage caps, margin protocols, and procedures for handling rapid price moves, while whether the trading infrastructure can absorb the large orders of institutions with sufficient liquidity is a separate task. For perpetual futures to settle into the institutional market, regulatory permission must be backed by sufficient market depth, and this no-action action amounts to the first step.

[Crypto] A String of DeFi Exploits and AI Hacking Warning

What Happened?

StablR, a Malta-based, MiCA-compliant stablecoin issuer backed by Tether and Kraken, had its minting authority seized by an attacker after a single multisig signing key controlling the issuance contract was compromised.

The attacker added themselves as an administrator, removed the existing signers, and minted roughly 8.35 million USDR and 4.5 million EURR without collateral, about $13.5M at face value. They then sold these on decentralized exchanges, and because liquidity was thin, the actual amount recovered came to about 1,115 ETH, or around $2.8M. Under the selling pressure, EURR depegged to $0.85 and USDR at one point to $0.40. The minting multisig was a 1-of-3 setup that allowed issuance with just one signature out of three keys, and this was not a flaw in the token contract itself. The onchain investigator ZachXBT first made the incident public, and StablR issued an official statement only about eight hours later.

StablR is only the most recent case in a string of DeFi thefts that has continued this year. In April, Kelp DAO lost about $292M to a flaw in its bridge verification design, while $285M flowed out of Drift and $197M out of Euler. In February, Step Finance shut down operations after a $27M loss. The same week, signs of a suspected exploit were also detected in the UMA adapter contract of the prediction market Polymarket.

Losses are mounting on a cumulative basis. Over the five months into 2026, about $840M flowed out of DeFi, and on a trailing 12-month basis the figure exceeds $1.1B. Of that, more than $600M was drained in April alone, the largest single-month damage on record. Over the same period, total DeFi TVL fell by more than $20B this year, compounded by price weakness.

Researcher’s Comment

Manuel Aráoz, co-founder and former CTO of OpenZeppelin, stated on X on May 26 that he now considers all of DeFi unsafe. His reasoning is that AI coding agents have reached a superhuman level at finding vulnerabilities, and that the asymmetry, in which defenders must block every bug while attackers need to find only one, drives this. He added that he had advised friends and family to pull funds out of major protocols such as Aave, MakerDAO, and Compound.

The asymmetry between attackers and defenders that Aráoz pointed to is not a new frame. What has changed is speed. As AI coding agents automate vulnerability scanning and exploit writing, the time it takes to prepare an attack is shrinking rapidly. According to one security engineering analysis, the average response time for a DeFi incident is about 37 minutes, whereas an exploit typically completes within 60 seconds. This means that the pace of humans convening multisig signers to manually halt a contract cannot keep up with an attack.

As a result, the response from protocols and chains is converging on automated defenses that operate without human intervention. Circuit breakers, which detect abnormal transactions or rapid fund outflows and automatically halt withdrawals or impose limits, are spreading in the form of the ERC-7265 standard and Aave Shield. The Jupiter has begun applying a mechanism that limits transactions above a threshold more widely, and Aave has begun adding cybersecurity factors to its collateral risk assessment criteria. Meanwhile, defensive tooling is also drawing in AI. OpenZeppelin is developing a security tool that injects verified knowledge of audited contract libraries into AI coding agents. The trend is moving toward a bot-versus-bot structure in which both attack and defense are automated.

The question going forward is whether defense can secure AI capabilities that match those used in attacks. Runtime defenses such as circuit breakers need to become the default rather than an option for a handful of large protocols, and to develop to the level of distinguishing anomalous signals without also blocking normal transactions. In addition, in cases where fund recovery is difficult, such as North Korea-linked attacks, post-incident tracing and recovery capabilities are emerging as a response requirement as important as defense. Only once this kind of advance across security infrastructure as a whole has moved up a level can DeFi attain a level of security adequate to take in institutional capital and move toward broadening its market base.

Others

Crypto

• Polymarket investigates suspected exploit involving its UMA adapter

• Wintermute expands into prediction market trading infrastructure

• StablR’s EURR and USDR depeg after multisig exploit

• Tether’s U.S.-focused stablecoin USAT grows more than 500% in one month

Institution

• Trump administration orders review of Federal Reserve master account access for crypto firms

• Bank of England presents vision for tokenization and stablecoins in U.K. financial markets

• Mastercard obtains New York BitLicense to expand stablecoin and digital payment infrastructure

• JPMorgan CEO strongly criticizes the CLARITY Act over stablecoin rewards and AML gaps

Tech

• NEAR Protocol previews AI-focused dynamic resharding and quantum-resistant signing

• Base launches Azul mainnet, advancing Coinbase’s L2 decentralization roadmap

• Sui discloses cause of mainnet halt and upgrade bug

Investment

• Squid raises $6 million with participation from Ripple and North Island Ventures

• Hyperliquid ETF posts $22.3 million in early inflows

• Bitcoin ETFs record nine consecutive trading days of outflows, totaling about $2.8 billion

Asia

• Japan Blockchain Foundation announces plan to issue EJPY, a yen stablecoin for B2B settlement

• Coinbase launches direct Indian rupee (INR) deposit and withdrawal rails

• Three Samsung affiliates acquire a 4% stake in Dunamu

• Korea Investment Securities and OKX Ventures acquire stakes in Coinone

• Vietnam’s Ministry of Finance proposes allowing SMEs to use digital assets as loan collateral

2. Data Spotlight

Crypto Card Market Crossed $7.5B in Cumulative Payments, Which Chain Carries the Most Volume? (Link)

3. Four Pillars Weekly

: : Tokenization Gone Wrong Could Fragment Stocks (Link)

• Tokenized stocks were originally meant to let anyone trade a wide range of assets seamlessly, anytime and anywhere. But today’s tokenized stock market may actually deepen liquidity fragmentation, as the same stock gets split into multiple product forms.

• According to Bloomberg, the “innovation exemption” reportedly being prepared by the SEC could become an important turning point, as it may allow the trading of third-party tokenized stocks. That said, rather than viewing this simply as bullish news, we need to look at why third-party tokenization is being pushed forward and what structural problems it could create.

• Tokenized stocks can be structured in several ways, including Issuer-Sponsored, Custodial, Linked Securities, and Security-Based Swaps. Each model differs in how closely it is connected to the original stock. In particular, third-party tokenization, where the issuer or transfer agent is not directly involved, can create a rights structure that differs from the actual stock, which raises issues around investor protection and regulation.

• Behind this debate are the interests of players like Coinbase, which want to offer tokenized stock services outside the existing transfer agent-centered structure. At the same time, if third-party tokenization spreads, multiple incompatible products based on the same stock could emerge, fragmenting not only trading venues but the very form of the stock itself.

• Ultimately, for tokenized stocks to deliver on their original promise, the market either needs to move toward native tokenization that is compatible with the rights structure of existing stocks, or it needs mechanisms that can address the liquidity fragmentation caused by third-party tokenization. The key questions to watch are how the SEC will allow third-party tokenization, and how it will organize investor rights and market structure in the process.

: : Canton: The Most Institutional Blockchain, The Most Controversial Blockchain (Link)

• Canton has demonstrated material institutional traction, with major institutions such as DTCC, JPMorgan, Goldman Sachs, Franklin Templeton, and SBI joining the ecosystem and Broadridge’s DLR processing large-scale repo transactions. These results, however, are difficult to make sense of through the conventional crypto lens. A structure in which not all transactions are public and only approved validators participate in consensus is fueling debate over whether Canton is a real blockchain and whether it is doing real tokenization.

• Canton is not a more private version of Ethereum or Solana. It is a separate design that sits between the transparency of public chains and the silos of private chains. Rather than publishing all transactions and having all validators verify a shared global state, Canton allows only relevant parties to see their portion of a contract while the Global Synchronizer coordinates ordering, confirmation, and commit. Canton’s differentiator is selective disclosure and synchronization across institutional workflows, not open verification.

• The institutional crypto market is not converging on a single path. The demand to capture onchain liquidity as a buy-side channel for asset managers’ financial products and the demand to streamline institutional workflows such as repo, collateral management, and settlement are different in nature. The two cannot be satisfied by the same infrastructure.

• Canton’s product-market fit lies in the latter: high-value, repetitive workflows with restricted participants where privacy and settlement certainty are priorities. Its core metrics are closer to throughput, settlement speed, failure rate reduction, and operational cost savings than to onchain AUM. At the same time, the large pool of onchain capital accumulated on public chains forms a liquidity moat that Canton cannot easily overcome in the short term.

: : Altura: Building the Composable Yield Layer on HyperEVM (Link)

• Altura operates a stablecoin yield vault on HyperEVM generating ~19% base APY from three independent strategy pillars (funding/basis arbitrage, physical gold trading, and market making).

• The vault has grown from $1.66M to $20.6M in TVL across 112 days with zero negative weeks, supported by both strategy-generated yield and ~$1.7M+ in pre-TGE incentive programs.

• AVLT has evolved from vault receipt to composable DeFi primitive, yield-tradeable on Pendle, borrowable on Morpho, depositable from six chains, with seven integration surfaces shipped in under five months.

• The ALTU utility token (pre-TGE) introduces TVL-linked buyback-and-burn and staking yield boosts on top of a product that already generates returns without it.

• The next phase will determine whether pre-token traction converts into durable protocol-level demand.

: : Why Azuki Built a Card Game (Link)

• Every dominant anime franchise built IP product by product, not story first. Azuki is running the same sequence (physical TCG as the first playable entry point) in a market that just posted $13B in annual sales and is growing at 10% CAGR.

• Three independent macro forces are compressing onto trading cards simultaneously. A physical supercycle, the institutionalization of cards as an investable asset class, and $2B in on-chain card volume with $193M in gross revenue. Azuki sits at the intersection of all three.

• The structural decisions in Gates Awakened map directly to every failure mode in the market. Physical product in game stores, competitive infrastructure from day one, optional blockchain integration that stays invisible to players who don’t want it.

• No other TCG publisher controls the full stack. Azuki owns the IP, builds the game, runs competitive play, has professional grading from CGC/PSA/BGS, and operates the digital trading platform. Value doesn’t leak through licensing splits or subsidiary structures.

• collect.anime.xyz is more than just a marketplace; it’s an acquisition channel. Pokemon and One Piece collectors are building Animechain wallets now, before Gates Awakened cards are tokenized. The platform creates the audience before the product needs it.

4. Macro & Onchain Metrics

Some of the charts below are powered by CryptoQuant. For those interested in exploring the underlying data in greater detail, CryptoQuant provides access to a comprehensive suite of onchain and market analytics used by institutional participants.