Today on The Ops Layer: the CLARITY Act hits its real test ahead of tomorrow's Senate Banking markup, with 100+ amendments and a Democratic push to strip developer protections. Plus the Kelp/rsETH recovery closes out across Aave, Compound, and Kelp itself — and Code4rena's wind-down hints that Web3's security supplier mix is getting rebuilt.
With tomorrow's Senate Banking markup confirmed and the 309-page base text already public, Democrats filed 15 DeFi-focused amendments directly targeting Section 604 — the BRCA non-custodial developer carve-out locked into the Grassley-Lummis deal. The amendments would remove developer liability protections, introduce a 'reckless disregard' standard for code that 'facilitates' crime, expand regulated-financial-institution definitions to cover DeFi front ends and infrastructure, and permit OFAC sanctioning of autonomous smart contracts regardless of ownership. Total amendment count is above 100, with stablecoin yield and crypto ethics provisions also live.
Why it matters
This is the operational question for any U.S.-serving Web3 team: does the BRCA carve-out survive markup intact, or does the U.S. quietly extend money-transmitter-equivalent obligations to wallet operators, front ends, and protocol developers? The base text protects non-custodial developers; the amendment package is engineered to reverse that. Either outcome changes entity-structure, hiring, and product-design calculus immediately — and the May 21 recess means whatever leaves committee on May 14 is what the July 4 enactment path actually carries.
Delaware is advancing SB 16 and SB 19 to establish a state-level licensing framework for stablecoin issuers and digital asset service providers. SB 19 imposes mandatory licensing, 1:1 reserve backing, monthly reserve reporting, a prohibition on direct interest payments, and — notably — personal CEO/CFO certifications with individual liability exposure. The regime is engineered to meet the federal GENIUS Act's 'substantially similar' standard, which would allow certified Delaware issuers to operate nationwide under the $10B threshold.
Why it matters
Delaware is positioning itself the way it did for corporate law — as the default domicile for U.S. stablecoin issuers. The personal-liability piece for CEO/CFO is the operational detail that matters: it changes D&O insurance pricing, hiring at the officer level, and how internal controls and reserve-reporting workflows need to be designed. For any team weighing GENIUS-Act-compliant issuance, the state-domicile question is now competitive, not procedural.
Pinsent Masons walks through the operational implications of CP26/13 closing June 3 — the FCA's emphasis that classification turns on activity substance rather than service labels, meaning many business models will need multiple permissions across the trading chain. This is the final input window before September final guidance, which arrives just four weeks before the September 30 authorization gateway opens and roughly twenty-two weeks before the February 28, 2027 application deadline.
Why it matters
The four-week gap between final guidance and gateway opening has been the planning problem since FCA formalized the timeline in April — this consultation close is the last moment to influence that guidance text. The substance-over-form posture from CP26/13 means forensic business-model audits against consultation language need to happen in May; September is too late to start. Existing AML registrations and payment licenses do not carry over, so the activity-inventory work feeds directly into a clean-slate application.
JD Supra's update on the MiCA transition flags two operational realities heading into the July 1, 2026 expiry: roughly 75% of pre-MiCA VASPs are expected to lose authorization, and the European Commission has proposed centralizing CASP supervision under ESMA to address the patchy national implementation that's emerged. Enforcement posture is shifting from warnings to actions, and the so-called 'consumer protection paradox' — stricter compliance reducing competition and pushing users to unregulated venues — is now an explicit regulatory concern.
Why it matters
Two operational planning items. First, if you're serving EU customers through a CASP-licensed counterparty, audit your counterparty risk — a quarter of the market is about to operate legally, three quarters won't be. Second, the ESMA-centralization proposal would meaningfully change supervisory geography for cross-border CASPs and pairs with the AMLA direct-supervision regime starting January 2028. The supervisory architecture is consolidating; planning around a single national regulator is a shrinking strategy.
Germany's Bundeszentralamt für Steuern opened the registration portal for cryptoasset operators under the Cryptoasset Tax Transparency Law (KStTG), in force since December 24, 2025. Operators serving German users must register before July 31, 2027 and comply with mandatory transaction reporting tied to the DAC8/CARF framework.
Why it matters
Pair this with yesterday's DAC8 analysis: the EU's tax-reporting perimeter is materially wider than MiCA's CASP perimeter, and Germany is the first major member state to operationalize the portal side of it. The registration deadline is fourteen months out, but the data-architecture work — capturing tax residency at qualifying touchpoints, building regulator-grade reporting — is the kind of build that needs to start now. For any team serving German users, this is the trigger to scope the project.
A Santiment deep-dive details the May 9 Compound governance action that recovered ~12,427 rsETH from the April 18 Kelp exploiter. Compound risk and protocol teams coordinated a temporary, reversible modification of the rsETH oracle price floor, triggering automated liquidation of the attacker's $29M+ position without disrupting other markets. The attacker had distributed 116,500 stolen rsETH (~$292M) as collateral across Aave, Compound, and Euler; this is the Compound piece of that recovery, and the most operationally interesting one — it's governance reaching into oracle parameters as an emergency-response tool.
Why it matters
Two things to note. First, this is the kind of governance action that only works if the muscle is built in advance — emergency oracle adjustment, coordinated across risk and protocol teams, reversed cleanly after execution. Second, it's a precedent worth tracking: oracle parameters are now a recognized emergency lever, which raises governance-design questions about who can move them and how quickly. The recovery worked here; a poorly governed version of the same mechanism is also an attack surface.
The attacker's stolen tokens have been burned and Kelp is progressively refilling 117,132 rsETH into the LayerZero OFT adapter over two weeks — execution timeline now confirmed. Aave's rsETH market freeze during the incident is credited with preventing cascading liquidations. This is the operational closeout running in parallel with the Compound oracle-adjustment recovery (12,427 rsETH) and the Arbitrum DAO binding vote opening May 15 for the frozen 30,765 ETH.
Why it matters
The two-week staggered refill is the first concrete execution-timeline data point for post-exploit recovery once legal structure is settled — weeks-not-days, with judicial clearance required before staking, lending, or bridging can resume. Three protocols, three different mechanisms (oracle adjustment, market freeze plus coordinated refill, court-supervised DAO vote), and no socialized depositor loss on a $292M nominal exploit. The refill pace itself is a template: reintroducing a peg slowly enough that a second attacker doesn't have a moving target to trade against.
Code4rena, the highest-volume competitive smart-contract audit platform — 511 completed audits, 16,600+ registered researchers — is winding down operations. The piece attributes the shutdown to tighter security budgets, researcher migration to private firms and bug-bounty platforms, and the industry shift toward multi-layered, continuous security programs rather than reliance on point-in-time contests.
Why it matters
This is the supplier-side signal that pairs with OpenZeppelin's continuous-subscription pivot earlier this week and the OpenZeppelin four-layer risk framework before that: audit contests as a primary security strategy are out. For ops teams planning launches, the practical question is now your security mix — private audit firm, continuous monitoring, internal review, bug bounty — and how you sequence those around release cycles. The 'one big contest before mainnet' model is no longer a defensible procurement strategy.
Santiment data shows all ten tracked crypto ecosystems posting positive development activity growth — and simultaneously declining contributor counts. Ethereum holds structural dominance with 10.2K dev events from 611 active contributors. Solana posted +6.28% activity growth on a -39.6% contributor count. The pattern across the board: fewer developers producing higher output per person.
Why it matters
Pair this with the $138K average Web3 salary print from earlier this week and the picture is consistent: the labor market is consolidating, output is concentrating, and bench depth is thinning. The risk read is concentration — fewer maintainers per protocol means bus-factor problems and slower incident response when the senior contributors who survived the consolidation take vacation, leave, or burn out. For ops planning, this is the year to map contributor concentration in your stack and your dependencies.
In an Unchained interview, Morpho Labs co-founder Paul Frambot describes the protocol's modular architecture — 1,000+ isolated vaults, 90% of volume in stablecoin loans — and makes the case that complex risk parameters belong with specialist curators rather than distributed token holders. His emphasis: operational security is the most underpriced risk factor in DeFi, and curator networks scale better than governance-token-driven risk decisions.
Why it matters
Morpho's curator model is one of the more interesting answers to the 'who actually makes risk decisions' question in DeFi governance. It separates risk underwriting from token-weighted voting, which addresses the whale-dominance and voter-apathy problems that show up across DAO designs. For ops teams designing how risk decisions get made in their own protocols, the curator-network pattern is worth studying — especially the trade-off between specialization and the legitimacy that token holders confer.
Blockaid launched Risk Exposure, a compliance infrastructure suite aimed at institutions running continuous on-chain operations. The stack includes risk-screening APIs, cosigner policy engines, and DeFi 'toxicity' monitors designed to flag exposure to sanctioned, tainted, or stolen funds before inflows are accepted — replacing post-hoc forensic workflows that can't keep pace with bridge-and-mixer routing.
Why it matters
Same theme as the EU AML Package's continuous-monitoring requirement and Inveniam's receipts-layer chain: compliance cadence is being forced to real-time. The operational decision for ops leads is whether to build internal screening, partner with infra like this, or both — and how to wire policy engines into existing multisig and treasury workflows without slowing operations to a crawl. Pre-acceptance screening is the design pattern to study.
A Hashlock.markets design note proposes two primitives for agent-to-agent commerce: Execution Rewards (an on-chain settlement track record that functions as a reputation primitive) and Tiered KYC (optional identity attestations from T0 to T3 layered on top, without custodial custody). The argument: traditional KYC was designed for one-time human verification, not agents bidding thousands of times per week, so settlement history should be the cheap default and identity verification the optional overlay.
Why it matters
Same problem space as Circle's Agent Stack and AWS AgentCore Payments earlier this week, and the EIP-8004 identity work showing up across BNB Chain and others — but a different design call. Where the payments-side stack is solving execution, this is solving counterparty trust at scale. For ops teams designing agent systems or evaluating partners that build on them, the on-chain-reputation-as-first-class-primitive pattern is worth tracking as it competes with credential-based approaches.
Crisis governance is becoming a discipline Three stories today — Kelp/Aave's two-week refill, Compound's oracle-driven liquidation of the exploiter, and Lazy Summer's Community Call #15 — describe coordinated multi-protocol incident response as a repeatable operational pattern, not an ad-hoc scramble.
The developer-protection fight is now the CLARITY Act fight With BRCA's non-custodial carve-out locked in the base text, the Democratic amendment package is squarely aimed at removing it — and at extending financial-institution-style obligations to front ends and code. The markup is operational policy for any U.S.-serving Web3 team.
Security supplier mix is being rebuilt Code4rena's wind-down, OpenZeppelin's continuous-subscription pivot (covered earlier this week), and Morpho's emphasis on opsec-as-risk-factor all point the same direction: audit contests are out, multi-layered programs with monitoring and ops review are in.
Compliance tooling is moving from quarterly to real-time Blockaid's Risk Exposure suite, the EU AML Package's continuous-monitoring requirement (covered yesterday), and tiered-KYC-via-on-chain-history proposals are all responses to the same gap: traditional compliance cadence can't match on-chain settlement speed.
Smaller teams, more output — and concentration risk Santiment's dev-activity dataset shows every major ecosystem growing commits while shrinking contributor counts. Solana: -39.6% contributors, +6% activity. Paired with the $138K average salary print earlier this week, the picture is a consolidating labor market with thinner bench depth.
What to Expect
2026-05-14—Senate Banking Committee markup of the CLARITY Act, with 100+ amendments pending — including a Democratic package targeting BRCA developer protections.
2026-05-15—Arbitrum DAO binding Constitutional AIP vote opens on transferring 30,765 ETH (~$71M) to Aave LLC under court-supervised custody.
2026-05-21—Memorial Day recess — procedural cliff for the CLARITY Act's July 4 enactment path.
2026-06-03—FCA CP26/13 Perimeter Guidance consultation closes — last input window before final guidance ahead of the September 30 authorisation gateway.
2026-07-01—MiCA transition period expires; full enforcement begins across EU member states with ~75% of pre-MiCA VASPs expected to lose authorization.
How We Built This Briefing
Every story, researched.
Every story verified across multiple sources before publication.
🔍
Scanned
Across multiple search engines and news databases
262
📖
Read in full
Every article opened, read, and evaluated
90
⭐
Published today
Ranked by importance and verified across sources
12
— The Ops Layer
🎙 Listen as a podcast
Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.
Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste