Although not even in the top 10 crypto hacks in terms of dollar-size, the LayerZero<>KelpDAO<> Aave exploit will go down in history as the most consequential DeFi hack of all time. 

The entire onchain industry is now on a completely different path than we were before. 

The implications to crypto come in two buckets:

1. DeFi needs to be Rearchitected 
2. Validators/Security Councils will need to standardize recovery operations (or give up control)

DeFi Needs to be Rearchitected 

The LayerZero<>KelpDAO<>Aave exploit occurred because each component in their composable DeFi stack trusted each other. 

1. KelpDAO trusted that LayerZero’s DVN wouldn’t ever be compromised (it got compromised).
2. LayerZero trusted KelpDAO to choose the appropriate level of security (they didn’t)
3. Aave trusted KelpDAO’s rsETH collateral to always be fully backed (it wasn’t) 

Trust lowers the costs of transactions and improves the welfare of everyone involved. So, it's enticing to assume these protocols are operating inside of trustworthy environments.

But they are not.

Permissionless systems are inherently adversarial environments. Building under the premise that 99.99% of users are good doesn’t change the fact that it only takes one bad actor to attack the system. 

The LayerZero<>KelpDAO<>Aave structure forgot this paradigm. 

We’re entering a new era of the internet user.

Your favorite websites are filling up with bots, and tech companies seem to be onboard with that fact – pushing for human-directed agents as a new interface between online and offline. This change is going to be huge – and likely not very seamless – as people and platforms are forced to grapple with the new operating assumption that every account or post they interact with on the web is AI-generated.

Wildly, just as the web is encountering this new existential shift, world governments are showing momentum to tackle an issue first introduced two decades ago – social media's societal impact on young users.

These are two extremely different issues, but they both ultimately focus on determining who is behind the screen. The government very well might try to solve both issues at once.

User Verification Is Coming

Let's take a closer look at the momentum behind these two issues: 

• One effort to determine who is a human online.

The internet is just beginning to reckon with a world of autonomous bots. Many will be very useful and others will fracture trust across the web, powering hacks, scams and disinformation. Many websites are already tapping services like World's iris-scanning to get ahead of the deluge – more services like this are likely on the way.

• One effort to determine who is an adult online.

After decades of talk, global governments are finding broad-based political support for cutting children off from social media services or requiring explicit parental guardian consent. While federal laws like COPPA have required internet platforms to not offer services to users under 13, this has generally relied on checkboxes with zero further verification. Signals are getting clearer that 1998's COPPA isn't as robust as the 2026 web requires. 

tl;dr? User verification is probably about to get more hardcore.

Age verification has long loomed for the web, state governments have been threatening to slap ID-verification interfaces onto porn sites for decades – to the considerable backlash of users who don’t love the idea of having their photo ID end up in a porn site data breach. Since 2022, there's been a lot of momentum in actually implementing legislation, notably almost entirely among Republican-controlled states. In 2026, blue states are joining in, too.

Beyond the tacit data security fears of such mandates, there’s also a palpable fear that stronger user verification mandates are going to usher in a decidedly (more) authoritarian future for the web.

Every personal account building up a digital footprint, feeding into a database queryable for law enforcement doesn’t sound great. To be fair, we’re not that far from this anyway, but the idea that the government could suddenly have more surface area to target user privacy doesn’t feel great. The slippery slope concern is also in full effect here, where initially sensible policy could grow in scope with little warning and we’ll have the digital scaffolding in place to carry out a hostile administration’s whims to devastating effect – think state-mandated digital excommunication.

For privacy-minded crypto users who are leveraging protocol designs that shield the IDs of transaction participants or leverage cryptography, building around this dynamic is all well-trodden territory.

The Path(s) Ahead

While right now we're largely seeing a patchwork of state laws, we're also witnessing momentum toward federal action. Trump's FTC has already sought to push more explicit carveouts to reduce legal exposure for platforms trying to tackle age verification.

Additionally, there are a number of outstanding federal age verification bills currently live with varying levels of support and interest:

• COPPA 2.0: Extends existing child privacy rules to cover teens, relying on platforms being able to determine users’ ages to enforce limits on data collection and ads. (Status: introduced in both the House and Senate; the Senate version passed unanimously, while the House version remains pending.)
• KIDS Act: Requires websites to determine users’ ages and put protections in place before allowing kids to access certain parts of the internet. (Status: introduced in the House as H.R. 7757; advanced out of House Energy and Commerce.)
• App Store Accountability Act: Shifts responsibility to app stores like Apple and Google to verify ages and require parental approval for minors downloading apps. (Status: introduced in the House, with an identical Senate companion bill.)
• SCREEN Act: Requires adult-content sites to verify that users are not minors before letting them access pornographic content. (Status: introduced in the Senate as S. 737, with a companion bill in the House.)
• Parents Decide Act: Moves age verification to the device level, where phones or operating systems determine a user’s age and share that with apps. (Status: introduced in the House as H.R. 8250.)

Right now, internet rights groups largely aren’t psyched about these solutions. Determining whether a user is a child represents an escalation of the amount of personally identifiable information that all users in the jurisdiction need to cough up simply to access a service. Fight for the Future, an internet rights advocacy group whose backers include The Ethereum Foundation, has included a number of the above bills on their Bad Internet Bills landing page.

In all likelihood, something is going to change, but there’s a wide delta between the bills under consideration right now. COPPA 2.0, as the name suggests, builds on existing law in a more gradual approach that dials up the expectations for platform operators. Meanwhile, the Parents Decide Act, which was introduced this month, would require operating systems to verify the ages of the users at a device level and communicate that to apps and services.

Those are two very different bills.

The backlash to the Parents Decide Act language has been pretty well-defined. The language in the bill is so insanely broad with any potential edge cases unaddressed (Will I need KYC to use my smart fridge?), that it's pretty hard to feel anything positive about it at this stage. While the most generous interpretation of the bill could signal a kind of on-device FaceID for unlocking access to age-gated internet services without personal data leaving the device, the least generous interpretation of a mandatory universal login for the internet is about as dystopian a future for the internet as one could imagine.

Unlike other bills out there right now, the interesting aspect of the Parents Decide Act – by virtue of how broad it is – is how much this could shift the fabric of how the internet evolves in an AI age.

Most of the age-gating focus from other bills makes it the responsibility of the individual services, think Facebook and Pornhub, to determine how old the end user is. With Parents Decide, the marginal costs for Internet services leveraging data that the OS already has collected by law would theoretically be zero, and this isn't just information about how old the user is but the fact that they are a human being with an age.

Something like this would spread across the web very quickly, and have a pretty deep impact on how bots traverse the open web. Amid deep uncertainty about how AI will change society, some level of prescriptive predictability might be pretty attractive to lawmakers.

A Critical Moment

COPPA became law in 1998 – the most comprehensive federal law governing how children interact with the internet went live in the era of GeoCities! All to say, whatever gets passed in the next few years is going to govern how the web develops as it enters a highly unpredictable AI era.

This is unbelievably important to get right.

Internet users should have a hand in how their internet develops, not just tech companies and not just regulators. If you're feeling like you want a say, this is your moment. You should have a strong opinion on each of these bills, and should educate yourself on the future these bills enable and whether that jives with your personal values. Your elected representatives should know how you feel too.

This week, Coinbase launched agentic.market, a storefront surfacing x402 endpoints to make the ecosystem more discoverable. 

Browse it and you'll find live, metered access to a wide range of services, from onchain tools to mainstream APIs. Some endpoints are offered directly by the original provider. Many arrive via third parties: companies wrapping existing APIs in x402 (and/or MPP) and packaging them as agent-ready toolkits, accessible through a single connection for a small fee.

That second arrangement complicates things. Among those third-party-originated endpoints featured on Agentic Market are services for Wolfram Alpha, Google Flights, and Amadeus, a widely-used travel data platform. I focus on these three because none of the platforms have themselves announced an x402 integration, and their terms of service make it unlikely they've authorized a third party to build one on their behalf.

The Wisconsin Department of Justice filed lawsuits on Thursday in Dane County Court against Kalshi, Robinhood, Coinbase, Polymarket, and Crypto.com to halt what it considers to be illegal sports betting.

What's the Scoop?

• Unlawful Gambling: Wisconsin’s DOJ has filed lawsuits against five prediction market operators, alleging that their sports-related “event contracts” constitute illegal sports betting under state law. The complaint argues that sport-based event contracts violate the state's ban on "unlawful commercial gambling." Payouts remain tied to sporting outcomes, while attempting to circumvent gambling restrictions through a financial product wrapper.
• Coinbase Responds: Posting to X, Coinbase Chief Legal Officer Paul Grewal wrote, "Congress was clear – consumers deserve uniform, federal oversight over derivatives markets... Wisconsin should accept clear and consistent CFTC oversight of prediction markets – just as Congress intended."
• Injunction Requested: Wisconsin is seeking both preliminary and permanent bans to block named platforms from offering sports-related contracts to in-state users, labeling the activity a “public nuisance.”
• Change of Venue: Polymarket has already filed a notice of removal shifting its case to federal court; Kalshi, Robinhood, Coinbase and Crypto.com are expected to follow suit.