Weekly Top Stories - 9/12/25

In this week's newsletter, Jack Immanuel tracks the market structure bill's progress in the Senate; Lucas Tcheyan unpacks the outcome of the Hyperliquid vote; and Chris Rosa delivers the tl;dr on the aforementioned NPM exploit.

Stablecoin Heavyweights Fight for USDH; Hyperliquid Wins

Hyperliquid, the leading decentralized exchange for perpetual futures and a layer-1 blockchain, is holding its first major governance vote. The question on the table: which stablecoin issuer gets the long-reserved USDH ticker? Normally, tickers on Hyperliquid are allocated every 31 hours through a dutch auction, with bids denominated in HYPE, the network's native token, and the winning HYPE bid burned. USDH is different. With $5.5 billion of USDC balances powering Hyperliquid and more than $200 million in annual yield flowing externally to that stablecoin's issuer, Circle, the USDH ticker represents a chance to recapture that value for the Hyperliquid network.

In this case, allocation will be determined via a validator vote, with the Hyperliquid team saying the prize is "well-suited for a Hyperliquid-first, Hyperliquid-aligned, and compliant USD stablecoin." The contest has drawn major stablecoin issuers from across the industry, including Paxos, Sky, Frax, Agora, Curve, BitGo, OpenEden, Ethena, as well as newcomers like Native Markets. Proposals for USDH were due Sept. 10 at 6 a.m. EST, with validators given 24 hours to declare their voting intentions. At the time of writing, 17 of 19 eligible validators had declared who they will vote for.

The actual vote will take place on Sunday, Sept. 14, from 6 am to 7 am EST. Native Markets is in the lead with 74% of stake, but staked HYPE holders have until Sunday to redelegate their HYPE to validators aligned with their own voting preferences, which could alter the count.

OUR TAKE:

What's really at stake in the USDH vote? Not control of Hyperliquid's stablecoin rails and not an automatic monopoly. The winner gets one thing: the right to issue a stablecoin under the USDH ticker. That symbolism is powerful. Securing USDH means being recognized as the issuer most aligned with Hyperliquid's governance and values, a stamp of legitimacy that could matter as competing teams vie for integrations, liquidity, and market-maker support. Native Market's lead suggests that being a Hyperliquid-native team trumps all other considerations.

The USDH ticker doesn't guarantee an overnight migration of Hyperliquid exchange pairs from USDC. The exchanges' infrastructure is deeply tied to USDC, and forcing liquidity to shift would risk breaking depth and user experience. On Thursday, the Hyperliquid team announced criteria for a stablecoin to become a spot quote asset, including: the issuer staking 200,000 HYPE (~$10 million at current prices); a peg mechanism to $1 (with non-dollar pegs possibly eligible in the future); and minimum depth liquidity against USDC and HYPE. Notably, the announcement does not subject USDC and USDT to the same requirements given their "longstanding track record and established scale," and USDC will remain the quote pair on HyperCore (the dominant perpetuals market on Hyperliquid) for the foreseeable future.

Winning USDH does not block other contenders from going to market and competing with the winner. Multiple teams made clear that no matter the end result, they intend to launch on Hyperliquid. Case in point: Ethena formally withdrew its proposal on Thursday morning while stating it will proceed with "everything we said we would." While Circle did not submit a proposal, CEO Jeremy Allaire indicated the company very much so plans to issue native USDC on the network. No matter who wins, adoption still has to be earned through liquidity, integrations, and execution. The ticker confers alignment, not dominance. Like real estate, its value depends on what the issuer does with it.

The contest also underscores a new dynamic: issuers must increasingly pay for distribution. Ethena's recent expansion to the Ethereum L2 MegaETH, where yield from its stablecoin product is diverted to cover sequencer costs, is the clearest example of this trend. Every major USDH contender pledged 95% to 100% of reserve yield back to Hyperliquid via HYPE buybacks, ecosystem funds, or incentives. But this alignment may have a downside: without incentives for end users, capital could stay in yield-bearing alternatives, limiting USDH's supply growth.

Another source of tension is compliance. Most proposals lean on U.S. regulatory status as a badge of credibility. But tying USDH too closely to a nationally or state-chartered issuer could create a U.S. nexus Hyperliquid doesn't need, exposing it to unwanted jurisdictional risk. Validators will have to decide whether regulatory alignment is a feature or a liability.

However the vote ends, one conclusion is already clear: the real winner is Hyperliquid. Stablecoin giants are bending their economics, partnerships, and infrastructure to prove their loyalty. Issuers need Hyperliquid's distribution more than Hyperliquid needs theirs. The vote will decide who wears the USDH crown, but Hyperliquid has already secured the throne. For a full overview of the situation, refer to our research note published this week. - Lucas Tcheyan

A Near-Miss: How the NPM Breach Almost Wreaked Havoc for Crypto

A fake two-factor email let attackers publish malicious node package manager (NPM) releases to popular JavaScript libraries. A respected maintainer known as qix had his NPM credentials phished by a fake 2FA email on Monday. With publish access in hand, the attacker pushed malicious updates to widely used JavaScript packages that are downloaded over 1 billion times weekly. Projects that automatically updated to newer versions could have fetched the tainted package while the attack was active. Posts by qix, security researchers, and the Ledger team revealed the issue and prompted a wider review. Major crypto wallets and apps reported that production builds were not affected. Maintainers quickly released clean versions and advisories, and ecosystem tools flagged the attacker addresses to avoid reuse. Arkham's tally shows only 17 transactions and about $607 in losses, which is small relative to the potential reach of these packages. The limited damage appears to reflect fast remediation, conservative release processes at large teams, and the fact that the payload relied on swapping recipient addresses in user flows rather than silent remote code execution.

OUR TAKE:

This was a close call that highlights how deeply the internet and Web3 tooling depend on JavaScript packages and NPM workflows. The pathway was serious even if the final losses were small. A single trusted account can become a single point of failure for thousands of projects, and loose update settings or missed checks can turn a brief scare into a broader problem. Treat this as proof that software supply chains are only as strong as the diligence and release discipline of the least prepared participant.

While a user was on an app or website that included the malicious package, the attackers could inspect and tamper with the app's web traffic in the browser, including wallet activity. If the attackers had employed a more aggressive exploit, they could have monitored traffic across all websites and Web3 apps; harvested credentials, session cookies and API keys; injected skimmers; and quietly exfiltrated data. Instead, the attackers relied on passive address swapping and active transaction hijacking, specifically targeting crypto users in their browsers. Both techniques swapped the recipient address of a crypto transfer with a similar address owned by the attacker. The attack could have been thwarted by a user checking the address when they were prompted to confirm and sign the transaction.

The NPM community moved quickly to patch the affected packages, which limited the impact on developers. Maintainers published clean versions, issued advisories, and prompted projects to upgrade, shortening the window during which the malicious code could run. Crypto ecosystem tools reacted fast as well. Block explorers such as Etherscan and Solscan flagged the attacker addresses, added warning labels on address and transaction pages, and pushed those tags through their APIs. This made the addresses easier to spot, discouraged reuse, and helped wallets and analytics services deprioritize or block them.

Galaxy Digital was not affected by this exploit. In general, institutions and their trading desks experienced less impact than everyday users because they interact more directly with DeFi protocols (i.e., not via their front-ends), and use controls such as address allow lists, multi-step approvals, and disabled blind signing, among other measures.

Teams should double down on the basics that blunt this entire class of events. Pin exact versions and commit lockfiles, fail continuous integration when dependency differentials or security advisories appear, and restrict publish rights behind hardware keys with enforced multi-factor prompts. Monitor builds for unexpected network calls and stage and test new builds before broad rollout. For end users, the right habits still matter. Keep blind signing disabled, verify full recipient addresses, use allow lists, and prefer known bookmarks over links in messages or ads.

As the sergeant on an old TV cop show would say, "let's be careful out there." - Christopher Rosa

Senate Makes Progress on Market Structure Bill

Last Friday, the Senate Banking Committee unveiled an updated (and much longer) version of the Responsible Financial Innovation Act (RFIA) of 2025. Key provisions of this draft expand collaboration between the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC); detail regulatory applications of the Bank Secrecy Act (BSA) to digital asset service providers; provide more safe harbors; and enhance carve-outs for decentralized finance (DeFi). The Banking Committee's draft further clarifies the CFTC's regulatory role in this half of the RFIA (the other half being the pending Senate Agriculture Committee proposal). This is a notable extension of cross-agency collaboration that did not appear in the first draft. Instead of mainly focusing on the SEC, this draft calls for the SEC and CFTC to jointly issue rulemakings and administer a Micro-Innovation Sandbox. Additionally, the draft introduces a Joint Advisory Committee that would provide the SEC and the CFTC with findings and non-binding recommendations and promote regulatory harmonization. Each commission would have to publicly respond to the recommendations within 90 days. The first draft did not touch on the application of the BSA at all. In this updated version, digital asset service providers are treated as financial institutions under the 1970 law. Therefore, service providers would have to maintain concrete BSA programs, including risk-based anti-money-laundering measures; recordkeeping; suspicious activity report (SAR) monitoring; technical capabilities to block, freeze, and reject transactions; customer identification; and sanctions compliance. While many crypto exchanges already comply with these obligations under longstanding state money-transmitter laws and Financial Crimes Enforcement Network (FinCEN) guidance, the legislation would codify them at the federal level and adapt them specifically for digital assets. Exemptions for DeFi are more explicitly spelled out in the new draft. As long as a DeFi trading protocol is not under common control, developers of a decentralized exchange (DEX) would be exempted from the RFIA and the regulations implementing it. Gratuitous contributions, which include staking rewards and airdrops, would be exempted from the legal definition of securities. Notably, the draft adds safe harbors for NFTs (with exceptions) and decentralized physical infrastructure networks (DePINs) with less than 20% ownership concentration, sparing the two from being classified as securities. In response to the updated RFIA draft, 12 Senate Democrats published their own framework for market structure legislation on Tuesday with a set of seven principles. Their definition of successful market structure legislation requires:

• Closing the "spot market gap" (lack of a proactive U.S. regulator)

• Clarifying legal status and jurisdiction for digital assets

• Integrating issuers into the regulatory framework

• Integrating platforms into the regulatory framework

• Preventing illicit finance

• Preventing corruption and abuse

• Ensuring fair, effective regulation

Notable among the policies guided by these principles is a call to grant CFTC exclusive jurisdiction over the non-security digital asset spot markets and the adoption of consumer protection rules and disclosure requirements for digital commodity platforms. In the framework, the Democrats also advocate for equipping the CFTC and Federal Reserve with the ability to regulate credit in digital commodity trading. The framework prioritizes legislation that would: direct regulators to oversee DeFi protocols and platforms; fulfill the GENIUS Act's intent to ban yield-bearing stablecoins by removing a perceived loophole for affiliates; require platforms to register with FinCEN under the BSA; adopt conflict-of-interest provisions for elected officials and their families (almost certainly a response to the Trump family's World Liberty Financial project); mandate crypto holding disclosures by elected officials; and require a bipartisan quorum of commissioners at the SEC and CFTC to vote on digital asset rulemakings.

OUR TAKE:

The Senate is running out of time to close a deal on market structure. Because the House has dedicated more extensive time, resources, and effort to market structure legislation in the past (i.e., FIT21), its faster timeline is not a surprise. However, the Senate needs to quickly pick up the pace.

This version of the RFIA barely touches regulatory guidelines for the CFTC, leaving it to the Senate Agriculture ("Ag") Committee to pass a companion bill or make its own introduction to fill the gap. Crucial to successful market structure legislation is exclusive CFTC spot market authority, and, based on the framework that the Democrats just released, the left side of the aisle agrees. Without a Senate Ag proposal, though, negotiations will stall.

As Ranking Member of the Ag Committee, Senator Amy Klobuchar (D-MN) could expedite the process by giving her stamp of approval. Not only would her support be critical in achieving the necessary filibuster-proof majority of 60 votes from Republicans and Democrats, but the Ag Committee itself prefers to operate in a more bipartisan manner. Without Klobuchar, the primary alternative way to reach a proposed Ag draft is if Majority Leader John Thune (R-SD) writes one in his office and shepherds it to committee, something Thune has given no indication he intends to do.

Many other hurdles lie ahead. Senate Banking needs to conduct a markup to get the RFIA to the floor before mandatory legislation gets in the way. In turn, a markup accomplished by Chair Tim Scott's (R-S.C.) artificial deadline of Sept. 30 would be ideal for the bill's success. Nevertheless, that deadline is not likely to be met. Congress will face a potential government shutdown at the end of September if it fails to pass a Continuing Resolution (CR) on the budget. A shutdown is clearly not an attractive outcome, because it would harm the reputation of both parties and halt the paychecks of millions of federal workers.

On top of that major obstacle, post-October floor time will begin to be eaten up by must-pass legislation within the calendar year, including the National Defense Authorization Act (NDAA) and Ag's Farm Bill. By December, priorities of many lawmakers will turn to the 2026 midterm election campaigns.

Despite these obstacles, the substantive policy additions to this second draft of the RFIA would bring necessary interagency collaboration between the SEC and CFTC. Furthermore, the DeFi sector would benefit from the explicit exemptions added to the bill. As evidenced by the principles in the Democratic framework, the BSA requirements added to the draft will likely draw in much-needed Democratic support for the RFIA. - Jack Immanuel

Chart of the Week

Among all blockchains, Solana consistently captures the most demand for block space and generates the most economic value at the application level.

Over the last 20 months, Solana has logged the highest transactions per second (TPS) among major blockchains, maintaining a minimum hourly transaction velocity of 525.67 TPS (using the 24-hour moving average) and running as fast as 1,641.08 hourly TPS in December. Even as activity on the network slowed over the last two months, Solana maintained an hourly transaction velocity of 800 TPS. This is a sign that the sheer demand for Solana block space is massive and greatly outpaces that of other major blockchains. This includes Coinbase's Ethereum L2 Base at 135 to 150 TPS, Binance's BSC at 130 to 170 TPS, and Arbitrum at 20 to 40 TPS.

The demand for block space translates to relatively elevated economic value generated at the application level. Solana ranked as the top blockchain by fees paid to applications (not to be confused by transaction fees paid on the network) for each of the last 11 months. Fees paid to applications represent the gross value paid by users for application activity (e.g., decentralized exchange swap fees and borrow interest), including value passed to liquidity providers (LPs) and related parties, plus value retained by the application in the form of revenue. Solana has captured nearly half (an average of 46%) of fees paid to applications on a monthly basis between January 2025 and August 2025 across all blockchains monthly.

Other News

WLFI proposes to burn tokens "held by participants not committed to" it

Cboe to launch perp ... excuse us, continuous BTC and ETH futures in U.S.

BlackRock's crypto holdings cross $100b mark again, with roughly $85b in BTC

Forward Industries closes $1.65b deal to build Solana treasury

Binance partners with Franklin Templeton on crypto product push

Hong Kong moves to ease crypto capital rules for banks

MYX airdrop faces Sybil attack allegations

More Trump administration agencies will go onchain, Chainlink says

SwissBorg SOL Earn wallet exploited for $41.5m

Gemini lifts IPO price range; valuation could top $3b

️ Polygon completes hard fork to restore finality

Avalanche Foundation eyes $1b raise for AVAX treasuries

S&P 500's snub of MSTR is a warning for BTC DATCOs: JPMorgan analyst