Today on The Ops Layer: Compound DAO formalizes a conditional 3,000 ETH commitment to the Aave recovery using a new delegation model, the CFTC sues Wisconsin — its second state in 72 hours — over prediction-market authority, and Australia's AUSTRAC compliance clock starts running toward a July 1 Travel Rule deadline. Plus: the CFTC turns AI loose on registration applications, a new Kelp postmortem reveals an infrastructure-layer attack affecting ~40% of cross-chain protocols, and TON ships the first open self-custodial wallet standard for AI agents.
Polymarket is pursuing CFTC approval to operate a fully regulated US exchange after its 2022 ban. The application runs alongside the infrastructure rebuild reported earlier this week (CLOB v2, pUSD collateral token, $1M liquidity incentives) — combining regulated-entity application with simultaneous technical stack upgrade.
Why it matters
This is the cleanest current case study of an offshore-to-regulated transition, and the new question it raises: how does the pUSD native collateral token interact with the regulated entity structure under CFTC oversight? The compliance architecture required — protocol-layer KYC/AML, market surveillance, user verification on a previously permissionless interface — is the blueprint other DeFi protocols seeking US re-entry will need to reference. Watch this alongside the CFTC's two-state preemption suits for the full picture of how the agency is simultaneously litigating and licensing in the prediction-market space.
Input Output cut its annual Cardano treasury request from $97.5M to $46.8M — a 52% reduction — redistributing development scope to external teams, non-profits, and specialized contributors. The 2026 slate funds two priorities: development decentralization and the Leios consensus upgrade (10–65x throughput target). The request goes to a treasury vote.
Why it matters
This is a rare concrete example of a founding entity engineering its own influence reduction through transparent budget cuts rather than vague rhetoric — and it goes to a governance vote, making the decentralization claim empirically testable. The operational question: how do technical coordination, code review standards, and release cadence hold when execution is distributed across multiple orgs? For DAO-to-corporation and decentralization roadmap designers, IOG's model (reduce funding request, redistribute scope, codify external responsibilities) is more concrete than most published frameworks.
Over Foundation ceased operations citing insurmountable financial constraints, immediately shutting down OverWallet, nodes, explorers, RPC endpoints, and APIs. The Layer 1 now depends entirely on whether independent operators voluntarily continue block production.
Why it matters
Most decentralization claims have never been tested under foundation failure — Over is now the natural experiment. The operational lesson regardless of outcome: foundation treasury sustainability and protocol-level operator viability are separate problems requiring separate planning. If you run a protocol with a foundation balance sheet, the Over case is a forcing function to map which infrastructure components silently fail in a wind-down.
Building on Aave's fixed 25,000 ETH pledge to DeFi United (now at $160M of $200M target), Compound DAO has taken a structurally different approach: a conditional range (1,900–3,000 ETH) with final sizing delegated to an execution group — Compound Governance Working Group, Gauntlet, security providers, and the Compound Foundation — contingent on full rsETH backing restoration and equal treatment of affected parties.
Why it matters
The range-plus-delegation model is meaningfully distinct from Aave's fixed-pledge approach. Governance sets bounds and conditions; named specialists with real-time market visibility size the actual deployment. This resolves the precision problem that plagues crisis governance votes — pre-committing a fixed number forces either over- or under-funding. It's the most concrete crisis-playbook primitive to emerge from the Kelp fallout.
Beyond the 25,000 ETH treasury commitment and the buyback pause already covered, Aave DAO is now running two additional parallel tracks: a Scenario 1 vs. Scenario 2 loss-allocation vote determining whether mainnet or L2 users absorb bad debt, and an Umbrella module pause-vs.-slash decision. The loss-allocation vote is the first time a major DAO has been forced to vote explicitly on distributional asymmetries between user cohorts — and participation numbers are showing governance apathy.
Why it matters
The new element here is the distributional vote itself — not crisis response mechanics (well-documented from the buyback pause and DeFi United pledge), but a zero-sum choice about which user group pays. Most consensus-governance systems aren't designed for this, and the procedural gaps are live: low quorum, fairness debates outside formal channels, asset-listing review becoming a reform target. This is the governance stress test that buyback pauses and treasury pledges don't capture.
Chainalysis published a consolidated operational timeline for Australia's Digital Assets Framework: AML/CTF compliance officers must be appointed by May 30, Travel Rule originator/beneficiary protocols go live July 1, and ASIC's INFO 225 no-action relief expires in June — forcing platforms back under existing Corporations Act requirements while the framework consultation is still in flight.
Why it matters
Australia adds a third July 1 hard deadline alongside EU MiCA CASP expiry and the UK stablecoin reforms, compressing the multi-jurisdictional authorization sprint further. The ASIC relief expiry is the sharpest edge: platforms relying on INFO 225 lose their no-action buffer simultaneously with Travel Rule go-live, leaving no overlap window. Ops teams running global products now have three non-negotiable July 1 obligations with no shared infrastructure.
Four days after suing New York, the CFTC filed in the Eastern District of Wisconsin on April 28 to block state enforcement against Kalshi, Polymarket, Crypto.com, Robinhood, and Coinbase. Wisconsin's April 23 actions alleged illegal sports betting; the CFTC asserts exclusive derivatives/swaps jurisdiction. The doctrinal question is identical to the New York case.
Why it matters
What was a single-state test 72 hours ago is now a two-state pattern establishing a multi-jurisdiction federal-preemption doctrine. Because the legal question is identical, the first ruling will functionally determine the second — and the outcome sets whether prediction-market platforms face one federal regime or 50 state-level compliance architectures. Track this alongside Brazil's telecom-layer blocking and the DOJ/CFTC Van Dyke indictment as the three-front regulatory geometry now defining the sector.
CFTC Chairman Selig confirmed the agency is using AI to review registration applications, monitor trading data, and automate compliance workflows — explicitly framed as offsetting staff cuts. He also confirmed coordination with the SEC on a shared crypto taxonomy, positioning the CFTC as lead federal regulator for crypto derivatives and fraud enforcement.
Why it matters
AI-driven review changes the documentation standard for CFTC registrations (DCM, SEF, FCM pathways): structured fields and complete control matrices will surface fewer deficiencies than narrative-heavy submissions. The shared SEC-CFTC taxonomy is the secondary implication — a single compliance architecture can serve both agencies, but errors propagate to both. This pairs with the CLARITY Act's May 25 deadline: firms preparing registrations now need to structure documentation for machine review before that window closes.
The Central Bank of Kenya posted four positions — a manager-level licensing lead, two deputy managers (licensing/product approval and compliance oversight), and a senior business analyst — dedicated to VASP oversight under the October 2025 VASP Act. Subordinate regulations are still pending gazetting after April public comment closed. Directly follows the Binance account-freeze controversy covered earlier this week.
Why it matters
Regulatory hiring is the most reliable leading indicator of when a framework goes operational — typically 3–6 months. This is the window to engage CBK before the formal licensing queue forms, and the critical open question is whether the new licensing framework constrains or institutionalizes the DCI account-hold pattern (2+ month freezes without court orders) that the Binance incident exposed.
CertiK's Skynet Intelligence Report (April 2026), across 11 jurisdictions, finds AML enforcement has structurally replaced securities classification as the primary regulatory risk: AML fines exceeded $900M in H1 2025 while SEC crypto enforcement fell 60% in volume and 97% in penalty value year-over-year. Smart-contract audits are now mandatory or quasi-mandatory across seven major jurisdictions.
Why it matters
The audit mandate is the underappreciated finding: it folds smart-contract security into licensing prerequisites in seven jurisdictions, meaning unaudited code blocks regulatory access, not just user trust. This converges with April's $800M in DeFi losses (89% from access-control failures on unaudited protocols) to make the audit budget a mandatory compliance line item rather than an optional security investment — and validates the compliance-as-competitive-advantage pattern already documented across the FinCEN/OFAC PPSI and EU sanctions threads.
Squads released three open-source tools under its v4 protocol: a Rust-based CLI for reviewing and executing multisig proposals, a browser-based verification interface that runs without backend infrastructure, and a real-time monitoring system for multisig activity — directly targeting the single-interface dependency implicated in the Drift social-engineering compromise. Coordination with STRIDE positions this as part of a broader Solana multisig standardization push.
Why it matters
The backend-free verification UI addresses the attack surface the Drift/$285M Lazarus compromise exposed: a single web interface becoming the trust bottleneck that phishing, replacement, or coercion can exploit regardless of M-of-N math. Tools that let signers verify proposals from independently deployed UIs or CLI materially raise social-engineering costs. For Solana treasury multisig operators, this is an immediate operational decision.
A new postmortem adds to the Glassnode five-phase mechanical reconstruction: the April 18 Kelp incident was an RPC node compromise combined with DDoS on LayerZero's DVN infrastructure — not a smart-contract exploit. The 1-of-1 DVN configuration enabling the attack is reportedly LayerZero's default, used by ~40% of protocols. Note: the 40% figure comes from GetBlock, an RPC provider with commercial interest in the finding; independent confirmation is pending.
Why it matters
If the 40% figure holds, the Kelp incident is a systemic exposure rather than an isolated configuration failure — and the prior week's URTAN pre-confirmation taint proposal becomes more urgent. Smart-contract audits don't cover RPC endpoint redundancy or DVN topology. The implication for protocol security ops: DVN configuration review and RPC provider diversity are now urgent tasks, not infrastructure preferences. This also reframes what a pre-listing security assessment must include.
TON released an open self-custodial wallet standard giving AI agents dedicated on-chain identities via smart contract with separate user and agent keys — agents execute independently while users retain spending limits and override authority. This is the third agentic wallet launch this week (after Binance's Agentic Wallet and Cobo CAW) but the first published open standard rather than single-vendor product. Developer-preview status and audit caveats apply.
Why it matters
TON's contribution is portability — an open standard rather than a proprietary product means the dual-key architecture and policy expression layer (limits, allowlists, time bounds) can be implemented across teams rather than locked to one vendor. For treasury automation or agent-driven workflow builders, the near-term decision is now comparing three live options rather than waiting for standards to emerge.
Ondo Finance and Broadridge launched proxy voting and corporate governance access for holders of 250+ tokenized securities via Web3 wallet through Broadridge's ProxyVote platform — the first integration of corporate governance rights into tokenized equities at meaningful scale. Broadridge extended existing legacy infrastructure rather than replacing it.
Why it matters
Proxy voting was the missing institutional adoption prerequisite for tokenized equities — without governance rights, a tokenized share is an incomplete wrapper. The architectural choice validates a pattern increasingly dominant in RWA tokenization: Web3 reaches into legacy fintech rails via wallet auth rather than rebuilding infrastructure on-chain. This is materially cheaper than greenfield decentralized governance and directly addresses the multi-layer compliance scaffolding requirements the Sabai Protocol COO outlined earlier this week.
Crisis response is becoming a formal operating discipline The Aave/Kelp aftermath is producing reusable governance primitives: conditional treasury commitments (Compound's 1,900–3,000 ETH range tied to recovery milestones), delegated execution groups blending DAO working groups with risk specialists like Gauntlet, and explicit loss-allocation votes that force DAOs to choose who pays. These patterns are being codified faster than any prior DeFi crisis.
AML enforcement has structurally displaced securities risk Both CertiK's Skynet report and Cointelegraph's analysis converge on the same fact set: AML fines >$900M in H1 2025, EU AML penalties up 767%, SEC crypto enforcement down 60% in volume and 97% in penalty value. The operational implication: compliance budgets must rebalance toward transaction monitoring, sanctions screening, and mandatory smart-contract audits — not securities counsel.
Regulators are automating their own compliance pipelines CFTC Chair Selig confirmed AI is now reviewing registration applications and monitoring trading data — meaning Web3 ops teams need machine-readable, complete documentation rather than narrative-heavy submissions. This is a quiet but structural shift in how to prepare for licensing across jurisdictions.
Multi-jurisdictional deadline stack is compressing simultaneously Australia's AUSTRAC Travel Rule (July 1), EU MiCA CASP cutoff (July 1), UK FCA gateway (Sept 30 open), and US CLARITY Act window (end of May) all hit within a 90-day band. Operations teams running global products face a coordinated authorization sprint with limited shared infrastructure.
Infrastructure-layer attacks are exposing audit blind spots The Kelp incident was an RPC/DVN compromise, not a smart-contract bug — and the LayerZero 1-of-1 DVN default reportedly affects ~40% of protocols. Combined with April's $800M+ in DeFi losses being driven by access-control and key-management failures, the security operations stack is shifting from code audits to infrastructure topology and configuration review.
What to Expect
2026-05-25—CLARITY Act Memorial Day deadline — without Senate Banking markup before recess, statutory codification likely slips past midterms
2026-05-30—Australian VASPs must have appointed AML/CTF compliance officers under AUSTRAC framework
2026-07-01—Triple deadline: Australia Travel Rule live, EU MiCA CASP transitional period expires, UK stablecoin/payments reforms advance
2026-05-12—Ronin's OP Stack migration cutover — 90M RON treasury redirect and Proof-of-Distribution builder rewards activate
2026-06—Tezos X mainnet target pending governance approval; ASIC INFO 225 no-action relief expires forcing Australian platform compliance
How We Built This Briefing
Every story, researched.
Every story verified across multiple sources before publication.
🔍
Scanned
Across multiple search engines and news databases
258
📖
Read in full
Every article opened, read, and evaluated
90
⭐
Published today
Ranked by importance and verified across sources
14
— The Ops Layer
🎙 Listen as a podcast
Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.
Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste