PulseChain Weekly Roundup: Week of June 8–14, 2026
The fastest way into a protocol this week was not through its code. It was through whatever the code was forced to trust: a signing key on the wrong laptop, a governance vote for sale, or a bank acting on the state's behalf.
The Week in Brief
The fastest way into a protocol this week was not through its code. It was through whatever the code was forced to trust: a signing key on the wrong laptop, a governance vote for sale, or a bank acting on the state's behalf. The question underneath all of them: who holds the power to rewrite the rules, and how cheaply can that power be seized?
On-chain attackers walked away from Humanity Protocol with approximately $36 million after compromising signing keys stored on a single employee's laptop. A governance attacker spent roughly $1.1 million acquiring voting majority in the Token of Power DAO, then extracted $1.58 million from the treasury. In traditional finance, the Department of Justice opened a formal investigation into coordinated bank debanking of cryptocurrency businesses, confirming what the ecosystem has described for years as a systematic chokepoint rather than isolated commercial decisions.
Different layers, different attackers, one underlying weakness: wherever authority concentrated, someone found it cheaper to seize the authority than to break the system around it. The weaker the separation between ownership and execution, the faster it fell.
Meanwhile, PulseChain produced blocks. The ecosystem kept shipping. And the base layer continued its 1,128-day record without interruption, rollback, or administrative intervention.
Top Story: Humanity Protocol (~$36M)
The Humanity Protocol bridge was governed by a 3-of-6 Gnosis Safe multisig on Ethereum and a 3-of-5 multisig on BNB Chain. In principle, that meant three separate people on three separate devices would need to sign any critical transaction. In practice, it meant something different.
During initial setup, multiple signing keys from both multisigs were backed up to a single employee's laptop. Founder Terence Kwok confirmed this publicly after the attack. The entry point, confirmed by Quantstamp's independent investigation, was a phishing email impersonating South Korean exchange Bithumb. Malware installed via that email compromised the private keys backed up on the infected machine.
The breach unfolded through three separate authority failures. An admin hot wallet private key was stolen directly, resulting in the loss of approximately 6 million H tokens. On Ethereum, the attacker used three of six Gnosis Safe owner keys to transfer ProxyAdmin ownership to a wallet they controlled, then upgraded the bridge to a malicious implementation and drained approximately 141 million H tokens in a single transaction. On BNB Smart Chain, three of five Safe owner keys were used to seize the token contract's ProxyAdmin and mint approximately 300 million additional H tokens across two tranches. All six compromised keys, three on each chain, were stored on the same device.
The total settled at approximately $36 million. Quantstamp linked the attack to actors with indicators consistent with known DPRK cyber intrusion techniques. No recovery of funds has been announced, though the team has posted a $1 million bounty, is running a live exploiter tracker, and is coordinating with exchanges and law enforcement. The Ethereum deployment has since been secured using a separate multisig that was never compromised. The BNB Smart Chain deployment will be abandoned.
BlackHart's initial forensic report, covering only the BNB Chain activity, put the loss at $23 million. CipherBot's report, covering both chains, settled at $36 million, the figure used here.
The contract logic was never exploited. BlackHart marked it safe. The upgrade authority layered above the contract was the entire attack surface: no timelock to delay the proxy transfer, no mint cap to limit damage once access was gained, no real-time alerting on admin-ownership changes. Every mechanism that could have slowed the attacker was absent.
A multisig is not security if all the keys live in the same place.
Additional reporting: ZachXBT, CoinDesk, Humanity Protocol post-mortem
Security Intelligence
The Token of Power ($TOP) exploit did not require finding a vulnerability in the contract. The attack surface was the governance model itself.
Total supply of $TOP was fixed at 16,384 tokens. The Aragon DAO controlling the treasury required a simple majority to execute proposals. An attacker purchased 8,192 tokens, precisely 50.001% of supply, at a cost of approximately $1.1 million, then submitted and passed a proposal draining the treasury. Gross extracted: $1.58 million. Net profit after the cost of acquiring decision rights over the treasury: approximately $472,000.
The distinction from Humanity Protocol matters. Humanity was a key compromise attacking the operational security layer. $TOP was a governance capture attacking the decision-making layer. Two different failure modes, both circling the same question: who can seize custody of the funds, and how cheaply. The $TOP attack answers it precisely: anyone with enough money to buy the votes.
Corroborated by: PeckShield, Blockaid.
Syscoin's bridge suffered a validation flaw this week allowing approximately $10 million in tokens to be minted without corresponding backing. The bridge was paused, and by midweek the exploited funds had been moved to a recovery address with a fix identified and implemented, neutralisation pending. MILC Platform reported a $161,000 admin key compromise following the same root failure mode as Humanity Protocol but at smaller scale. Raydium confirmed approximately $1.3 million was drained from 2021-vintage legacy contracts that were never formally decommissioned on-chain. Raydium pledged a full refund via treasury and confirmed no impact on active protocol users. The lesson is the same one that surfaces in every zombie-contract incident: deprecated code that remains live on-chain remains a target.
Corroborated by: PeckShield (Syscoin).
The Shai-Hulud Hades campaign distributed at least 19 poisoned packages through PyPI, with 37 malicious wheels identified in the June 8 wave alone. The technically significant detail is the evasion method: the packages used credential-stealing code delivered via Python path hooks and Bun JS, specifically engineered to defeat AI-powered automated analysis tools. Security teams increasingly rely on AI-based static analysis to flag malicious packages before they reach developers. This campaign treated that defence layer as a constraint to engineer around, which is the clearest documented example yet of attackers directly countering AI-assisted defence.
Additional analysis: Socket, Orca, StepSecurity.
A separate CipherBot investigation published June 11 documented a fourth distinct attack pattern running parallel to the week's key compromise and governance incidents. At least four DeFi protocols, Truebit, Trusted Volumes, Aperture Finance, and Ekubo, lost a combined $36.7 million to attackers who reverse-engineered their unverified smart contracts using AI-assisted decompilation tools. The largest single loss was Truebit at $26.2 million, from a contract that had remained unverified on-chain since 2021. Each protocol had withheld its source code from public block explorers under the assumption that obscurity provided a security advantage. Modern decompilation tools, accelerated by AI pattern recognition, now defeat that assumption systematically. What once required a skilled reverse engineer spending weeks on a single contract can be partially automated and deployed across thousands of unverified contracts simultaneously. The Truebit integer overflow vulnerability was elementary, the kind of flaw that would have been caught immediately by public security review. It survived for three years inside an opaque contract and was eventually found by someone with the wrong incentives.
AI and Security: Both Sides of the Perimeter
This week produced documented evidence of AI operating on both sides of the security boundary simultaneously.
On the attack side, the Shai-Hulud Hades PyPI campaign weaponised knowledge of how AI-based code analysis flags suspicious patterns, then built packages specifically engineered to evade those flags. On the defence side, BlockSec and QuillAudits independently used AI-assisted formal verification to confirm the Zcash counterfeiting vulnerability discovered in May. QuillAudits published their formal verification analysis on June 11. The methodology pairs AI probabilistic detection with mathematical formal proof: AI identifies the likely vulnerability, formal verification proves it with rigour. These are complementary tools, and their application to Zcash this week represented a meaningful step forward in how the sector approaches cryptographic security research.
The Zcash Ironwood upgrade, built to close the counterfeiting vulnerability by forcing all ZEC through a turnstile on migration, remains on track. A large Orchard pool withdrawal flagged by Arkham on June 11, approaching 1% of total ZEC supply, was verified as routine pre-migration repositioning by holders ahead of pool deprecation. No official concern was raised by Shielded Labs, the Zcash Foundation, or any independent security researcher. The story remains the supply-integrity arc it has been since the vulnerability was disclosed, not a crisis.
Verification cross-checked via Shielded Labs and the Zcash Foundation.
Sovereignty and the Regulatory Layer
The Department of Justice confirmed this week it is actively investigating coordinated bank debanking of cryptocurrency businesses. The United States Attorney's Office for the District of Columbia has issued subpoenas to JPMorgan Chase, Bank of America, and Wells Fargo, demanding lists of terminated accounts and the justifications for their closure. The probe is examining whether the closures violated FIRREA, the Financial Institutions Reform, Recovery, and Enforcement Act of 1989, a statute historically used to prosecute bank fraud. Documented examples in the investigation include JPMorgan closing the personal accounts of Uniswap founder Hayden Adams in early 2022 and Frax Finance founder Sam Kazemian reporting that JPMorgan staff explicitly stated the bank was closing accounts of individuals whose primary income derived from crypto.
Banks operating as an intervention layer for the state, not as commercial entities making independent credit decisions, is not a new observation. It is now a documented subject of federal investigation with named institutions and issued subpoenas.
What the week put on record is not a thesis argued from principle but three documented instances of the same dynamic. Attackers obtained on-chain custody by compromising keys and governance tokens. White-hat councils are formalising their own DeFi governance layer, with DeFi United establishing coordinated security and oversight infrastructure across the sector. The state consolidated its grip on the traditional finance layer through bank pressure. Every concentration of authority invites an attempt to capture it, and the week demonstrated why building infrastructure that removes the intermediary in the first place is the only response that holds against all of them.
The GENIUS Act has been federal law since July 2025, and its stablecoin freeze-by-design provisions belong to the same concentration-of-authority pattern. Its freeze and block capabilities were core provisions from passage, not proposals, and the regulatory machinery is now in the implementation phase, with agency rulemaking comment periods running through 2026, including one that closed June 9. The framework mandates compliance points such as issuer-level freezes and AML controls at the stablecoin layer. Those are precisely the intervention points PulseChain's architecture does not contain.
CipherBot's piece on Meta's Ray-Ban faceprint system, published June 9 on pulsechain.nexus, documented a dormant biometric capability found in the companion app's production codebase: code built to convert faces into signatures, store them, and trigger "person recognised" alerts. Meta removed it via a unilateral patch after discovery, a decision the people affected had no visibility into. Those people are not Meta's customers; they are anyone within line of sight of the glasses, none of whom consented to biometric capture.
The same logic runs through the age verification legislation advancing in Australia, the United Kingdom, the European Union, Malaysia, and Indonesia. The capability gets built quietly and activated once the climate has shifted enough to make it unremarkable. The infrastructure is always the tell, not the press release.
Ecosystem Intelligence
Liberty HyperMarket launched this week, confirmed via official posts from the LibertySwap account. The platform offers prediction and outcome markets powered by Hyperliquid HIP-4, with World Cup, cryptocurrency, and politics markets available at launch. 100% of platform fees currently route to PCOCK buyback and burn, the interim structure LibertySwap implemented during the week's market weakness, reverting to a split structure when conditions improve. Early post-launch data showed $440,000 or more moving into V3 liquidity.
The Week 5 roundup covered Liberty HyperMarket as a confirmed roadmap item with a launch window ahead of the World Cup. It shipped on schedule. Announced, dated, and delivered within a single week, against a market that had just posted a significant selloff. The prediction market space is competitive and Polymarket is the dominant player by volume. The real test for HyperMarket is whether it attracts sustained trading activity in the weeks ahead. The launch is the milestone. Traction is what comes next.
Sigma Protocol continued publishing detailed technical disclosure this week, with the builder @SIN3R6Y releasing follow-up posts on the protocol's permissionless index framework. The architecture allows anyone to deploy an on-chain index basket, a DTF, without approval or intermediary, with DTF tokens operating as standard PRC20s and a mint-based rebalancing model structured to eliminate impermanent loss at the index level. The governance token carries a fixed supply of 9 million coins. Sigma has not yet launched on mainnet. Audit status and launch timeline are the remaining items to confirm.
ZKX Wallet announced a deep integration with LibertySwap's Liberty Private Swap and Liberty Shield tools, enabling a few-clicks workflow for shielding funds through RAILGUN directly from the ZKX interface. ZKX Mobile was confirmed as launching this month. As of the weekend, the mobile app had not yet shipped, with the team signalling it as imminent. The integration announcement is confirmed. The mobile launch is scheduled but not yet delivered.
Peer, formerly ZKP2P, launched Seller Autopilot, automating the seller side of P2P fiat-to-crypto ramps. Sellers connect payment apps once and an automated layer handles payment verification and escrow release using a trusted execution environment. LibertySwap amplified the development as part of the PulseChain sovereign onboarding stack, and the connection to the DOJ debanking story is a genuine editorial one: the state is investigating the exact banking chokepoint this infrastructure exists to route around.
The trust assumption travels with the progress report. Seller Autopilot uses Intel SGX-style secure hardware, which introduces a hardware root of trust and an enclave operator as a trust assumption. It is trust-minimised, not trustless. If the enclave is compelled or compromised, the credential handling is affected. A Zero Trust publication's job is to name that assumption alongside the genuine progress. Both are part of the same accurate picture.
A CipherBot investigation published Friday June 13 put the week's security incidents into broader context. The second quarter of 2026 produced approximately 70 separate DeFi security incidents extracting $746 million in total, the highest exploit frequency on record. The two largest incidents were the $293 million KelpDAO cross-chain messaging failure in April and the $285 million Drift Protocol social engineering compromise attributed to the Lazarus Group. What emerged from those three months was not one catastrophic failure but an industrialised exploit economy scanning the entire stack continuously: bridges, admin keys, governance mechanisms, operational workflows, cross-chain messaging layers, and the human beings managing signing procedures.
The conclusion CipherBot drew from Q2 is precise: the danger is no longer only in the code. It is in everything the code is forced to trust.
PulseChain was not in that list. It was not in the list for Q1. It has not appeared in a security incident since genesis. The reason is architectural rather than fortunate. There are no admin keys. There is no upgrade authority. There is no pause function. There is no bridge controlled by a multisig that can be seized by compromising a laptop. There is no governance token that can be purchased into a controlling majority. The protocol removes several of the trust assumptions repeatedly exploited across those incidents.
The ecosystem kept building during a week when the sector recorded 70 separate incidents across a single reporting period. Liberty HyperMarket went live and Peer shipped Seller Autopilot. Sigma Protocol continued its technical disclosure toward a mainnet that has not yet arrived. ZKX announced its RAILGUN integration with mobile still pending. PulseChain produced blocks at normal rates throughout.
The network does not need to respond to those incidents. It was not built to need to.
On-Chain Data
Figures pulled Sunday June 14, 2026 from pulsechainstats.com. Aggregator totals may differ from other trackers including DefiLlama due to differing methodologies.
The network has now operated for 1,128 consecutive days since genesis without interruption, rollback, or administrative intervention. Total PLSX burned since launch has reached 8.20% of user supply, 1.73 trillion tokens, representing approximately $7.9 million in value permanently removed from circulation.
48,066 active validators secure 1.54 trillion PLS across 37 countries, with a current validator APR of 8.84%. PulseX holds a combined TVL of $35.34 million and ranks 30th among all DEXes globally. Total PulseChain TVL across all protocols stands at $46.73 million. PLSX burned in the last seven days: 9.81 billion. PLS total burned since genesis: 235.49 billion. Bridge TVL: $49.10 million. Total wallets: 1,568,589. Daily active users: 7,832.
The week's market context: Monday opened with a broad selloff, PLS down approximately 7% alongside losses across the sector. The market partially recovered through the week. The base layer produced blocks at normal rates from the first block of the week to the last.
Source: pulsechainstats.com
Further Reading
The BlackHart forensic report on Humanity Protocol is the most complete anatomy of a multisig key compromise published this week and is worth reading in full before forming an opinion on what the protocol failure actually was. The CipherBot Q2 2026 exploit wave analysis, published June 13 on pulsechain.nexus, gives the full quarterly context for the security section and is the clearest account available of how the exploit economy has industrialised. The unverified contracts piece from June 11 pairs directly with the AI and security thread and documents the four protocols lost to AI-assisted decompilation in parallel with the week's other incidents. The faceprint glasses piece is the companion read to the sovereignty section's surveillance thread and rewards reading alongside the age verification coverage.
pulsechain.nexus
Keys, votes, and banks all gave way this week. The one system with nothing to seize kept producing blocks.
Trust nothing. Verify everything. ∞ ZERØ
Discussion