Welcome to Galaxy Research's Weekly Top Stories. Subscribe to get this newsletter delivered to your inbox every Friday morning.
In this week's edition, Alex Thorn looks at recent research on the quantum computing threat; Lucas Tcheyan unpacks the $285 million Drift protocol hack; and Jianing Wu analyzes a Trump administration proposal to ease crypto’s path into Americans’ 401(k)s.
Got feedback on this newsletter? Email [email protected]. We’d love to hear from you.
Market Update
The total crypto market cap stands at $2.38tn, up 0.99% from last week (when it stood at $2.35tn). Bitcoin's network value is 4.02% of gold's market cap. Over the last seven days, BTC is up 0.58%, ETH is up 3.34%, and SOL is down 3.65%. Bitcoin dominance is 56.39%, down 72 basis points from last week.
‘Q-Day’ Could Come Sooner than Expected
Researchers published a new paper demonstrating that it is easier for quantum computers to crack cryptography than previously thought, should they eventually be successfully built. Researchers from Google Quantum AI, Stanford, U.C. Berkeley, and the Ethereum Foundation published a paper called “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations” on Monday. It demonstrated a ~20x circuit optimization breakthrough, substantially reducing the number of superconducting qubits required to run Shor’s Algorithm compared to prior estimates. In simple terms, the paper demonstrates that breaking the elliptic curve cryptography used to secure Bitcoin and other cryptocurrency networks is much easier for quantum computers than previously thought, though no such machine exists today.
When will they arrive? Craig Gidney, a top Google Quantum AI researcher and report co-author, separately said on X that he “would bet against Q-day by 2030, but [he] wouldn’t bet against it at 10:1 odds. ~10% risk is unacceptably high here, so [he’s] very in favor of transitioning to quantum-safe cryptography by 2029.”
Mathematician Peter Shor, today a professor at MIT, developed the eponymous algorithm while working at AT&T Bell Labs in the early 1990s, a time when quantum computing was entirely theoretical. His algorithm solves both integer factoring and the discrete logarithm problem exponentially faster than any known classical algorithm. Quantum computers are theorized to be uniquely capable of running Shor’s Algorithm and thus deriving the private key from a public key on an elliptic curve, the same type of cryptography used by Bitcoin and other cryptocurrencies.
The new paper uses zero-knowledge proofs (ZKP) generated with Succinct Labs' SP1 zkVM to prove its research findings without publicly sharing the details of the potential attacks, so bad actors (such as adversarial nation-states) don’t get access to a roadmap. A separate paper by Oratomic, a new quantum computing startup, also released on Monday demonstrated that neutral-atom qubits – a slower but more qubit-efficient architecture – could break the same cryptography with only ~10k qubits, albeit over days rather than minutes.
Together, the papers collectively constitute the strongest evidence yet that migration to post-quantum cryptography is becoming more urgent.
Our Take
While these papers demonstrate that operating Shor’s Algorithm may require a smaller quantum computer than previously thought, no such computer exists today and there is no imminent threat. Instead, they indicate that a quantum computer need not be as sophisticated as previously thought to reach “Q-day” (the name for the day on which quantum computers are capable of breaking classical cryptography). Nonetheless, no such quantum computer has actually been achieved, and one of Google’s top researchers gives only a 10% likelihood that one will be built by 2030. The use of ZKP to prove the Google paper’s findings without publishing their actual specifications is extremely notable – the researchers want to inform the world about progress without providing a roadmap for attackers. As more quantum breakthroughs occur, we should expect them to become less and less public, even classified. Informed skeptics like Rearden Code and Alex Bergeron call quantum computers wholly hypothetical, as podcaster Stephan Livera noted. Even with these demonstrated improvements, they note, large-scale fault-tolerant quantum computers would require hundreds of thousands of physical qubits maintaining coherence for minutes, a feat far beyond today’s best devices (hundreds of qubits coherent for microseconds). Simply put, while these papers demonstrate that a quantum computer powerful enough to break Bitcoin’s cryptography may be smaller than previously thought, the very existence of one even remotely capable at all remains elusive. Nonetheless, if there’s even a small chance that Bitcoin’s cryptography could be compromised by a quantum computer, and that one could emerge, we believe it is prudent to begin work on mitigating such a threat. As we wrote in a report several weeks ago, there are already several initiatives underway in the Bitcoin development community to address these concerns. The most prominent is BIP-360, a thoughtful first step that introduces a new output type that gives similar functionality to Bitcoin’s Taproot while eliminating the quantum-vulnerable output type that currently exists. Blockstream researcher Jonas Nick unveiled a 2.5kb post-quantum signature type called SHRIMPS on Monday, which allows for multi-device, quantum-secure, hash-based signatures. Other proposed post-quantum signature schemes for Bitcoin include SPHINCS+ and SLH-DSA, and Lightning Network co-creator Tadge Dryja has proposed a novel commit/reveal scheme that could be used as an interim solution prior to formal integration of post-quantum (PQ) signatures. Another proposal called Hourglass V2 would slow the spending of vulnerable coins (such as those believed to belong to Satoshi) to a trickle as a middle ground in the debate about whether to seize, burn, or repurpose those coins. All of this to say that while there is still plenty of uncertainty and the threat is not today imminent, if Q-day is even possible, it appears that the day could come sooner than previously expected. Other cryptocurrencies are vulnerable, let alone other centralized systems, but Bitcoin’s decentralization – one of its greatest features – makes it uniquely difficult to perform substantial upgrades. Future breakthroughs may not be made public, because the implications of CRQC extend far beyond cryptocurrencies and deep into the realm of national security, meaning public updates to quantum capabilities like those in these papers may become few and far between. Bitcoiners should not be nonchalant. If there’s even a minor chance that the world’s oldest cryptocurrency could be vulnerable to a new type of attack, the cost of preparing is minimal compared to the risk of doing nothing. –Alex Thorn
Drift Drained for $285m in Second-Largest Solana DeFi Hack
Solana-based perpetuals exchange Drift Protocol suffered a $285 million exploit on April 1, the largest DeFi hack of 2026 and the second-largest in Solana's history. Drift confirmed the incident was due not to a smart contract bug but to compromised multiple signers on the protocol's 2-of-5 multisig (likely through social engineering). The attacker seized admin control and drained the majority of its vaults in under 12 minutes.
To prepare for the attack, the hacker created a fake token, seeded a tiny liquidity pool to build a price history that oracles would recognize. They then induced multisig signers to pre-approve transactions that appeared routine but authorized an administrative takeover. Once in control, the attacker listed the worthless token as valid collateral, removed withdrawal safeguards, and executed 31 rapid withdrawals, draining $285 million in real assets including USDC, JLP, SOL, and wrapped BTC.
Over $230 million in stolen USDC was then bridged to Ethereum via Circle's own Cross-Chain Transfer Protocol (CCTP) across 100+ transactions over approximately six hours, all during U.S. business hours, without Circle freezing any of the funds. Onchain investigator ZachXBT noted that Circle had frozen 16+ business hot wallets in an unrelated civil case just days earlier, raising questions about why the same capability wasn't deployed during an active nine-figure exploit. Circle hasn’t commented on the stolen funds successfully traversing its issuance and bridge architecture.
The fallout extended well beyond Drift. At least 11 downstream protocols with exposure to Drift liquidity or strategies were affected and Solana’s total value locked (TVL) dropped from $6.1 billion to $5.3 billion shortly following the attack. The incident follows the Resolv Labs exploit 10 days earlier, where a compromised signing key was used to mint 80 million unbacked stablecoins and extract ~$25 million, with contagion cascading into Morpho lending markets. Ledger CTO Charles Guillemet drew a direct comparison to the $1.4 billion Bybit hack of 2025, explicitly connecting the pattern to North Korea-linked actors.
Our Take
The uncomfortable truth is that most DeFi protocols operate with meaningful centralized control. Users are implicitly trusting the operational security of a small team of signers, often without knowing who they are or how their keys are managed. While in an ideal world all protocols would be immutable, this would significantly constrain their capabilities. Protocols need the ability to upgrade contracts, patch vulnerabilities, adjust risk parameters, and even pause in times of emergency.
It is imperative that the industry place greater focus on understanding how that authority is structured relative to the capital at risk. What can the keys do — can a single action simultaneously list new collateral, change oracle sources, and remove withdrawal limits? How many signers need to agree? How fast can changes take effect? Who are the signers and how are their keys secured? Drift's 2-of-5 multisig with no timelock was one of the weakest configurations among major Solana DeFi protocols. If there's a silver lining, it's that an exploit this preventable may finally force the industry to treat governance security with the same rigor it treats smart contract security.
Relatedly, Section 305 in the Senate Banking draft of the pending CLARITY Act would provide “hold” authority and a safe harbor that would limit stablecoin issuers’ liability in the case that they voluntarily freeze funds suspected of illicit activity even without a court order (say, for 48 hours).
And yes, once a protocol reaches a certain level of maturation there should be concerted efforts to reduce the scope of the admin key or remove it altogether. But that requires years of proven resilience, and even then, likely means at some point new contracts will need to be deployed to account for shifts in the onchain environment (see Uniswap’s v1, v2, and v3, although ironically Uniswap’s own L2 employs a multisig).
The Drift exploit also lands at a difficult moment for Solana's DeFi ecosystem more broadly. With onchain memecoin activity cooling and Hyperliquid continuing to pull perps market share away from Solana-native venues, the ecosystem was already facing questions about what drives its next phase of growth. Drift was part of the answer as one of Solana's flagship perps exchanges. Losing it, at least for now, makes an already challenging competitive picture materially worse. As we've previously noted, Solana's DeFi lending and derivatives markets have struggled to attract the institutional depth that Ethereum's enjoy. This exploit widens that gap. Attention will likely shift to emerging perps competitors on Solana like Phoenix Perps and BULK, who were already positioning to fill the void. But rebuilding trust at the ecosystem level is a harder problem than any single protocol can solve.
Trustlessness is a core tenet of the crypto ethos, but as this and many other similar exploits make clear, the gap between that ideal and operational reality remains wide. True trustlessness requires tradeoffs most protocols aren't willing to make, and some amount of trust in human operators is embedded in nearly every system that needs the flexibility to evolve. As more economic activity moves onchain — stablecoins, tokenized assets, institutional capital — that activity is not guaranteed to flow through permissionless DeFi. It can just as easily be captured by permissioned, corporate-controlled infrastructure where trust is an expected parameter.
Permissioned chains don't need to outcompete DeFi technically. They just need permissionless DeFi to keep giving institutions reasons not to trust it. The future of finance may hang in the balance. – Lucas Tcheyan
Alternatives (Including Crypto) Inch Closer to 401(k)s
On March 30, the Department of Labor (DOL) took a significant step toward opening 401(k) plans to alternative investments including private equity, private credit, and cryptocurrency.
The proposed rule would establish a six-factor, process-based safe harbor clarifying how fiduciaries (typically the plan sponsor and designated investment committee members) are responsible for selecting and overseeing 401(k) investment options and ensuring the plan is managed in participants’ best interests, in order to satisfy their duty of prudence under Employment Retirement Income Security Act (ERISA).
While ERISA does not explicitly prohibit asset classes such as private equity, private credit, real assets, or cryptocurrencies in 401(k) plans, their adoption has been limited in practice due to litigation risk, regulatory uncertainty, and structural challenges around fees, liquidity, and valuation. The proposed rule seeks to mitigate litigation risk with the six-factor process for evaluating investments, which, if followed and well-documented, may strength a fiduciary’s ability to demonstrate a prudence process in court.
The rule is asset-class neutral. The same framework applies to every investment on a plan's menu, from index funds to target-date funds with private equity sleeves. The six factors are:
Performance: Risk-adjusted expected returns, net of fees, must further the purposes of the plan.
Fees: Fees must be reasonable relative to returns and comparable alternatives.
Liquidity: The investment's liquidity profile must match participants' withdrawal and distribution needs.
Valuation: The investment must be reliably and consistently valued, particularly relevant for illiquid, private-market assets.
Benchmarking: A meaningful benchmark with similar mandates and risk profile must be identified and used for comparison.
Complexity: The fiduciary must have, or obtain, sufficient expertise to understand and evaluate the investment properly.
These six factors are derived from the DOL's comprehensive review of decades of pertinent case law, existing regulations, previous sub-regulatory guidance, Executive Order 14330, and stakeholder input, as well as the DOL's own experience. Rather than novel regulatory invention, the framework codifies and structures standards that courts and practitioners have long applied in evaluating fiduciary conduct.
Our Take
Incorporating alternative investments into 401(k) plans has long been constrained by a combination of regulatory uncertainty, structural frictions, and litigation risk. The regulatory environment had long been inconducive toward alternatives. In March 2022, the DOL issued guidance expressing "serious concerns" about cryptocurrency in 401(k)s, urging fiduciaries to exercise "extreme care" before adding crypto to plan menus. Although that guidance was challenged almost immediately, the case was dismissed on the grounds that the DOL’s release was non-binding and not subject to APA review, leaving its practical deterrent effect in place. Fidelity nonetheless launched its Digital Assets Account the following month, becoming the first major retirement plan provider to offer Bitcoin as a 401(k) investment option. Very few plan sponsors followed suit.
In his second term, President Trump signed Executive Order 14330 in August 2025, directing the DOL, SEC, and Treasury to facilitate alternative investment access in defined contribution plans and reduce the regulatory burdens and litigation risk that had long deterred fiduciaries from acting. DOL’s March 30 proposed rule is a direct implementation of that directive by clarifying the conditions under which alternatives’ inclusion could be considered consistent with fiduciary duty under the ERISA.
The proposal is designed to be defensible on two fronts: first, as a well-reasoned agency framework that may carry persuasive weight with courts; and second, more importantly, as a formulation that closely tracks longstanding ERISA fiduciary principles developed through case law. The proposal also reflects a clear policy shift from deterrence to facilitation, with DOL explicitly seeking to recalibrate the role of litigation in shaping fiduciary behavior. Rather than insulating fiduciaries from suits, the rule attempts to channel judicial review toward process by offering a structured safe harbor that strengthens defenses where prudent procedures are followed. This responds directly to longstanding industry concerns that class action risk has functioned as a de facto constraint on plan design, particularly for higher-fee or less liquid assets like private equity and crypto. At the same time, the DOL acknowledges that litigation risk will persist and that adoption is likely to be incremental, suggesting the rule is intended less as an immediate catalyst for widespread allocation shifts and more as a legal foundation that, if upheld in court, could gradually expand the permissible investment universe for defined contribution plans.
How much of an opening this creates in practice remains an open question. The 401(k) fiduciary community is conservative, and the safe harbor's judicial enforceability is uncertain. Recent stress in private credit markets has further underscored concerns around liquidity, valuation opacity, and downside risk in less transparent asset classes, reinforcing fiduciary caution at the margin. Because courts are no longer required to defer to the DOL's interpretation of ERISA post-Loper Bright, a federal judge could independently determine that including a particular alternative investment was imprudent regardless of whether the fiduciary followed the six-factor process, though such a process would likely be an important factor in the court’s analysis.
A well-established plaintiff’s bar continues to drive 401(k) litigation. Since 2016, more than 500 excessive fee cases have been filed, resulting in over $1 billion in settlements from plan sponsors. Fiduciaries may remain reluctant to be early movers until courts validate the framework through litigation.
That said, the direction is unambiguously positive. This rule fulfills the DOL's part in the broader multi-track effort to open 401(k)s to alternatives. The scale of the opportunity is significant. The 401(k) market holds approximately $10 trillion in assets across roughly 70 million participants. Even a modest allocation shift toward alternatives would represent a transformational new source of capital for private markets.
The comment period for the proposed rule runs through June 1, 2026, after which the DOL will review feedback and determine whether and how to finalize the framework. The ultimate impact will depend less on the rule itself than on how it is interpreted and applied by fiduciaries, regulators, and, ultimately, the courts. – Jianing Wu
Other News
👻Aave v4 launches on Ethereum mainnet
🪙Coinbase gets provisional OCC license
⚖️CFTC sues three states to reaffirm prediction market jurisdiction
☂️Soter Insure offers ETH-denominated slashing cover for stakers, validators
✂️Tether cuts top gold traders months after hiring them from HSBC
🤝Franklin Templeton acquires Coinfund spinoff; price undisclosed
️🏞Moody’s rates a bitcoin-backed muni bond for New Hampshire
🏦Cross River Bank raises $50m to expand further into AI, crypto
🐧Linux Foundation launches x402 Foundation for agentic payments protocol
❌Alabama grants DAOs legal status, limited liability protections
Chart of the Week
Polymarket is effectively taking over Polygon’s blockspace.
At more than 60% of gas usage, the prediction market champion is no longer just a large app on the network; it is becoming the blockchain's primary source of economic activity. (It’s now Polygon’s second-largest application by TVL behind Quickswap).
Using gas abstraction to make trading frictionless for users, Polymarket is pushing the chain toward functioning as the settlement layer for a single breakout use case rather than a broad-based, general-purpose ecosystem.
Legal Disclosure:
This document, and the information contained herein, has been provided to you by Galaxy Digital Inc. and its affiliates (“Galaxy Digital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Galaxy Digital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsement of any of the stablecoins mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Readers should consult with their own advisors and rely on their independent judgement when making financial or investment decisions.
Participants, along with Galaxy Digital, may hold financial interests in certain assets referenced in this content. Galaxy Digital regularly engages in buying and selling financial instruments, including through hedging transactions, for its own proprietary accounts and on behalf of its counterparties. Galaxy Digital also provides services to vehicles that invest in various asset classes. If the value of such assets increases, those vehicles may benefit, and Galaxy Digital’s service fees may increase accordingly. The information and analysis in this communication are based on technical, fundamental, and market considerations and do not represent a formal valuation. For more information, please refer to Galaxy’s public filings and statements. Certain asset classes discussed, including digital assets, may be volatile and involve risk, and actual market outcomes may differ materially from perspectives expressed here.
For additional risks related to digital assets, please refer to the risk factors contained in filings Galaxy Digital Inc. makes with the Securities and Exchange Commission (the “SEC”) from time to time, including in its Quarterly Report on Form 10-Q for the quarter ended September 30, 2025, filed with the SEC on November 10, 2025, available at www.sec.gov.
Certain statements in this document reflect Galaxy Digital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Galaxy Digital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Galaxy Digital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Galaxy Digital and, Galaxy Digital, does not assume responsibility for the accuracy of such information. Affiliates of Galaxy Digital may have owned, hedged and sold or may own, hedge and sell investments in some of the digital assets, protocols, equities, or other financial instruments discussed in this document. Affiliates of Galaxy Digital may also lend to some of the protocols discussed in this document, the underlying collateral of which could be the native token subject to liquidation in the event of a margin call or closeout. The economic result of closing out the protocol loan could directly conflict with other Galaxy affiliates that hold investments in, and support, such token. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. This document provides links to other Websites that we think might be of interest to you. Please note that when you click on one of these links, you may be moving to a provider’s website that is not associated with Galaxy Digital. These linked sites and their providers are not controlled by us, and we are not responsible for the contents or the proper operation of any linked site. The inclusion of any link does not imply our endorsement or our adoption of the statements therein. We encourage you to read the terms of use and privacy statements of these linked sites as their policies may differ from ours. The foregoing does not constitute a “research report” as defined by FINRA Rule 2241 or a “debt research report” as defined by FINRA Rule 2242 and was not prepared by Galaxy Digital Partners LLC. Similarly, the foregoing does not constitute a “research report” as defined by CFTC Regulation 23.605(a)(9) and was not prepared by Galaxy Derivatives LLC. For all inquiries, please email [email protected].
©Copyright Galaxy Digital Inc. 2026. All rights reserved.