Weekly Top Stories - 2/28

This week in the newsletter, we write about the SEC dropping crypto suits amid a regulatory shift, stumbles in an Ethereum testnet for the upcoming Pectra upgrade, and the recent hack of the crypto exchange Bybit.

SEC Drops Crypto Suits Amid Regulatory Shift

SEC withdraws from several major crypto lawsuits and enforcement actions. In some cases, as with Coinbase, the SEC has voted to formally drop its litigation, while in others the SEC has notified firms they will close their internal investigations with no action. The major crypto firms receiving such relief include Coinbase, Consensys, Robinhood Crypto, Gemini, Uniswap Labs, and OpenSea. These enforcement actions filed by the SEC over the past two years centered around whether digital assets should be classified as securities.

Per the SEC's official press release (which specifically only mentions Coinbase), the reason for dismissing the ongoing investigations is due to the pending work of the Crypto Task Force, which is dedicated to helping develop a comprehensive and clear regulatory framework for crypto assets. "The Commission’s decision to exercise its discretion and dismiss this pending enforcement action rests on its judgment that the dismissal will facilitate the Commission’s ongoing efforts to reform and renew its regulatory approach to the crypto industry, not on any assessment of the merits of the claims alleged in the action," according to the press release.

Additionally, after market close on Thursday, the SEC released a statement clarifying that it does not deem most memecoins securities under US federal law. Memecoins “typically have limited or no use or functionality” and are “more akin to collectibles,” according to the agency’s Division of Corporation Finance. It also said “a memecoin does not constitute any of the common financial instruments specifically enumerated in the definition of ‘security’ because, among other things, it does not generate a yield or convey rights to future income, profits, or assets of a business. In other words, a meme coin is not itself a security.”

OUR TAKE:

We predicted in our Nov. 10, 2024 report “Entering the Digital Golden Era” that, with the new SEC, “some number of crypto enforcements will pause, some lawsuits will be paused or withdrawn, no action letters on specific topics or to specific projects could be issued, and the doors will open for industry and regulators to discuss sensible paths forward.” Commissioner Hester Peirce, as chair of the Crypto Task Force established within days of President Trump’s inauguration by acting chair Commissioner Mark Uyeda, has moved aggressively to begin the work of charting a new path for the SEC on digital assets. Dropping these cases and halting pending enforcement investigations is essential if the SEC intends to rethink the securities status of digital assets, which is the foundation from which all other securities law enforcement and regulation flows. Said another way, the SEC can’t allege that Coinbase is operating as an unregistered securities exchange or that it is facilitating secondary trading in unregistered securities if the SEC dramatically narrows its view on which cryptos are unregistered securities. Commissioner Peirce made this question — the securities status of digital assets — the first bullet point in her Feb. 4 statement “The Journey Begins”, and Fox News reporter Eleanor Terret reported Friday morning that the “Crypto Task Force is getting ready to hold a series of roundtables with industry participants entitled “Spring Sprint Towards Crypto Clarity… and the theme of first meeting will be defining security status.” I discussed the SEC’s new approach with Commissioner Peirce on the Feb. 13 episode of Galaxy Brains.

Although determining the Commission’s view of the security status of various cryptos and types of digital assets is a key first step that must occur before other regulations (and reforms) can be made, it is just the first step. Last Friday, Feb. 21, Commissioner Peirce again published a public statement, this time titled “There Must Be Some Way Out of Here” in which she detailed 48 complicated questions with which the Crypto Task Force is wrestling. The questions are both deep in their complexity and broad in their scope, covering topics like broker-dealers, custody, and exchanges. Investment advisors, investment companies, tokenized securities, and more. The sheer scope of the work that must be done to determine how digital assets and market infrastructure stakeholders should, could, must, or must not comply with existing securities laws, which should be exempt or which should not, or which laws and regulations should be modified in which ways… boggles the mind. Other global regulators, such as the FCA in the United Kingdom, already did a lot of the complicated legal and research work to determine how to adapt or integrate digital assets into their own regulatory frameworks. But for some reason, we don’t entirely know, the SEC over the last four years refused to do this complicated thinking. Commissioner Peirce is right — “There Must Be Some Way Out of Here” — but it’s becoming clear that the way will be long and tricky. Luckily, the new SEC appears to be embarking on a deliberate and urgent process to do just that: find some way out of the entangled mess of digital assets left by the prior SEC. Dropping punitive and legally dubious enforcements and lawsuits is one important step on the path, but there is still much more to do. – Alex Thorn

The ‘Breathtakingly Bad’ Ethereum Testnet Upgrade

On Monday, February 24, Ethereum developers activated the Pectra upgrade on Ethereum testnet Holesky. A few minutes into the upgrade, developers realized that three out of five execution layer (EL) client teams misconfigured a system contract address for handling validator deposits. This mistake, because it impacted the vast majority of validators on Holesky, caused a prolonged chain split that has effectively made Holesky unusable for Ethereum stakeholders for the foreseeable future. On the latest Ethereum developer call, ACDE #206, Besu developer Justin Florentine described the Holesky incident as “breathtakingly bad” as it highlighted a number of issues in clients and their ability to resync after a prolonged period of non-finality.

Developers have agreed to make one last attempt at recovering Holesky, which involves a coordinated mass slashing of all validators not attesting to the correct head of the chain. Developers also agreed to move forward with upgrading the second public Ethereum testnet Sepolia next Wednesday, March 5, because it is equal to the amount of work, if not more, for developers to try and disable this upgrade last minute than to move forward with it as planned. They pre-scheduled the Sepolia fork when they scheduled the Holesky upgrade in early February. Rescheduling or disabling the Sepolia fork would require all Sepolia node operators to update their software before March 5. For now, developers will move forward with the Sepolia upgrade as planned and recommend new client software for node operators running any one of the following four clients: Geth, Besu, Nethermind, and Lodestar.

OUR TAKE:

The loss of the Holesky testnet is a major blow to Ethereum’s upgrade testing capabilities. It is one of only two long-lived public testnets for Ethereum stakeholders to test code and the only one with an unpermissioned validator set. Though developers are actively trying to recover Holesky, it is clear that the testnet will not be usable in the short term for Pectra testing and there’s a chance it may not ever become usable again.

An important outstanding question in light of the Holesky incident this week is how developers will move forward with testing Pectra for mainnet after the Sepolia upgrade. With the upgrade having been activated on only one public testnet, Ethereum stakeholders like Lido are without the appropriate infrastructure to adequately test their smart contract code. At the very least, developers will likely launch a new short-lived Pectra devnet for stakeholders to do additional testing after Sepolia. Time to set this up, along with any other fill-ins for Holesky, will likely delay Pectra mainnet activation, as well as the readiness of major Ethereum apps for the upgrade, by a few weeks at least, pushing potential Pectra mainnet activation from early April to late April or early May.

As stated in prior Galaxy Research newsletters, the complexity of Ethereum’s code base and the large number of participants involved in governance makes it difficult for developers to upgrade the protocol both safely and quickly. However, persisting underperformance in ETH price and division in the Ethereum community has put pressure on Ethereum protocol developers to ship upgrades faster. Ethereum’s success depends on the extent to which developers can walk this tightrope between speed and safety well. Unfortunately, the latest incident on Holesky coupled with the recent hot fix to Geth and a narrowly avoided gas limit increase that could have caused networking issues on mainnet highlight how developers are struggling to balance these two priorities and, in some cases like the case of the Pectra upgrade, failing to achieve either. – Christine Kim

ByBit Suffers the World’s Largest Robbery of All Time

On Friday, ByBit, the world’s second-largest crypto exchange, suffered a serious hack in which more than $1.5bn of Ethereum-based tokens was stolen (mostly ETH). The scale of the theft is staggering – it is by far world’s the largest ever crypto theft, and possibly the largest ever theft in history outside of a warzone, both in current, and inflation-adjusted dollars. The FBI has blamed the attack on the Lazarus Group, a state-sponsored hacker group based in North Korea.

What Happened?

Bybit stores the majority of its capital in cold storage using multi-signature technology, utilizing Gnosis SAFE as a technology layer. A key reason the hack was possible (amongst other reasons) is because Ethereum does not have native multi-signature capabilities. Instead, to create multi-signature wallets – in which some threshold of a quorum of people must sign to approve transactions – Ethereum custodians must rely on smart contracts that implement multi-signature signing schemes at the application level, and Gnosis SAFE has been the most widely used and battle-tested smart contract offering. However, smart contracts on Ethereum also cannot be upgraded. If a developer wants to upgrade their smart contract by materially altering the code, instead a whole new smart contract must be deployed, and then a second smart contract (known as the “proxy contract” is updated to point to the newly deployed, upgraded smart contract). The attacker chose the proxy contract as the venue of the attack. During one of ByBit’s routine movement of capital from their cold to warm wallets, the transaction sent the multi-members to sign that, while indeed showing 0 tokens transferred, updated the contract code that managed the cold wallet transfer mechanisms and permissions and instructed the proxy contract to point to its own malicious smart contract. Once the ByBit proxy contract pointed to the hackers' own contract, the hackers were able to sweep all funds from the ByBit Ethereum cold storage wallets, emptying it of $1.5bn of mostly ETH and ETH liquid staking tokens.

Some questions lingering in the minds of the industry in the wake of the hack include:

• Could every one of the multi-sig signers have had their computers infected with malware that masked the contents of the transaction, making it impossible for the multi-sig quorum members to recognize that the first transaction was malicious? ByBit CEO Ben refuted that on a livestream in which he detailed their security procedures of imaging and wiping laptops every month to check for malware.

• Could all the signers be in the same location suffering a Man-In-The-Middle attacked via corporate espionage or a rogue employee? ByBit’s CEO also refuted that, as all the multi-sig signers were in different locations.

• Could the transaction contents from Gnosis SAFE have been modified or maliciously constructed? That, unfortunately, looks to be the case. Crypto exploits largely fall into two camps, bad smart contract code that is exploitable, and old-fashioned social engineering of the human element. Gnosis SAFE confirmed that a developer machine (or the developer) was compromised. The compromised machine or employee maliciously modified the transaction sent to the multi-sig signers at ByBit. Infiltration of companies by North Korean members of the Lazarus hacking group is unfortunately common. In this case, it appears that Gnosis SAFE was the target of the espionage, with ByBit as the eventual target.

To be clear, core Gnosis SAFE smart contracts do not have any code issues, as multiple researchers have confirmed. But if some transport layer between Gnosis SAFE and ByBit specifically was compromised to present ByBit signers with a malicious transaction, which appears to be the case, that does raise alarm regarding the construction of relationships between Gnosis SAFE and users of its software.

OUR TAKE:

There’s a lot to unpack here, but first, it’s important to note the persistent and significant threat from North Korea. Both of the top two crypto thefts in history – this ByBit hack and the hack of the Ronin bridge in 2022 – were conducted by the Lazarus Group and were completely different types of attacks. In the case of ByBit, the Lazarus Group appears to have demonstrated a powerful combination of both social engineering and technical execution. The technical execution too was both sophisticated and subtle.

It is also important to note that multi-sig wallets are not by themselves sufficient to be “cold custody” when all the signers and the transaction initiator(s) are connected to the internet, those wallets are warm, not cold. Truly cold storage must involve wallets that are disconnected from the internet and sign the transactions in isolation to then be broadcast from another device that is itself connected to the broader internet. Alex Thorn discussed the mechanics of this attack, as well as best practices for cold storage, on Tuesday with Shahar Shamai, CTO of Galaxy’s GK8 crypto security company. Watch the replay here.

But the incident also raises broader questions about crypto wallet UX. Approving smart contract transactions should not just involve checking the URL that the transaction originated from – the complexity of smart contract transactions demands that each parameter be reviewed and evaluated to confirm that it will act as expected. Reviewing the transaction parameters, in this case, would have revealed that the operation parameter in the transaction should have been 0, but was in fact 1, allowing for the exploit to happen. That might seem like a tiny change, but in the complex world of smart contract code, and as empirically proven by the result, indeed it has massive implications. Wallet developers should work to develop human-readable transaction parsing and execution simulation, at least for widely used smart contracts like Gnosis SAFE, so subtlety won’t be missed.

There are a few silver linings. ByBit’s crisis response was widely praised, with its CEO Ben Zhou immediately being transparent and appearing on livestreams to keep the world up to date as they did their investigation. The cryptocurrency industry broadly came to ByBit’s assistance, with Zhou thanking Antalpha, Bitget, Pionex, SoSoValue, MEXC, Mirana, Solana, TON, Blockchain, Ghaf Capital, Tether, Bitvavo, and Galaxy Digital. And ByBit also has a robust Proof of Reserves program. Nonetheless, the crypto industry needs to continue to improve UX and security practices to ensure this doesn’t happen again. – Thad Pinakiewicz

Charts of the Week

The number of tokens launched daily on Pumpfun has meaningfully declined as memecoin activity on Solana has unwound over the last three weeks. On February 26, just 25,385 tokens were launched on Pumpfun, the least amount of tokens created on the platform in a single day since November 3, 2024, and 65% off the all-time high daily number of tokens created. In total, 8.15 million tokens have been launched through Pumpfun, with 2.8 million (35%) of them being created in 2025.

This is the second significant decline in Pumpfun activity since its inception. Between August and September 2024, the platform experienced a 76% decline in the number of daily tokens launched. After a month of stagnated activity, the use of the app climbed to new highs between November 2024 and January 2025.

As the number of tokens launching through Pumpfun has declined, so has the number of tokens migrating off the platform to Raydium pools. Pumpfun uses a bonding curve mechanism when tokens are initially launched. The bonding curve sets the price as a function of demand, where incremental buys of the token move the price higher. When tokens reach a market cap of $69,000 Pumpfun automatically generates a Raydium pool for the token and seeds it with $12,000 of liquidity sourced from a supply burn of the token. From here, the price is set as a function of the token balances within the dex pool.

Pumpfun token migrations are rare, with only 1.32% of all tokens created on the platform graduating to a Raydium pool. On February 25, however, only 185 tokens migrated to Raydium. This is the lowest number since October 1, 2024.

Other News

• BlackRock adds its Bitcoin ETF to model portfolio for first time

• Tornado Cash developer Alexey Pertsev gets $1 Million donation From Ethereum Foundation

• U.S. House Committee advances effort to erase IRS' DeFi tax rule

• Aya Miyaguchi to shift from Ethereum Foundation's executive director to president

• South Dakota rejects bill allowing state investments in bitcoin, joins growing list of states knocking back bitcoin bills

• Crypto-friendly former Congressman Patrick McHenry joins A16z as a senior advisor

• Bank of America plans to launch stablecoin If legislation passes