PulseChain Weekly Roundup: Week of May 18–24, 2026

The Week in Brief

A week defined by two converging forces. While centralised systems continued consolidating influence through regulation, custodial platforms and increasingly sophisticated attack surfaces, sovereign infrastructure began doing something it has historically failed to do: coordinate.

The Zero Trust Network launched Allied Builders, a formal connective layer bringing aligned protocols together around shared sovereignty principles. South Carolina codified the right to self-custody into state law and enacted a pre-emptive ban on CBDC participation. Four distinct exploit classes emerged in five days across bridge validation failures, AI agent manipulation and synthetic asset minting vulnerabilities, collectively adding hundreds of millions to what is becoming one of the worst years for DeFi security in the sector's history. And ZKX Wallet shipped a version update that reduced private balance sync latency from around ten minutes to fifteen seconds.

The pattern underneath all of it is the same. Centralised systems derive strength from coordination. Sovereign systems have traditionally weakened themselves through fragmentation.

This week the connective layer began emerging on both sides of that divide simultaneously.

Top Story: Allied Builders and the Coordination Layer Emerging Beneath Sovereign Crypto

On May 20, 2026, the Zero Trust Network launched Allied Builders at allied.win. The initiative is not a partnership framework, a branding exercise or a coalition built around shared marketing interests. It is a formal connective architecture designed to address a structural weakness that has undermined sovereign infrastructure for years.

The argument is direct. Centralised systems coordinate. Financial institutions operate as interconnected networks. Technology companies build ecosystems around their products and services. Media organisations strengthen themselves through distribution and strategic alignment. Governments coordinate through layers of policy, infrastructure and institutional influence. None of this is unusual. It is how durable systems behave when they intend to survive long term.

Sovereign builders, by contrast, have historically operated as isolated islands. Protocols built around shared sovereignty principles remained fragmented because no durable connective layer between them was ever established. Different chains developed their own cultures. Different communities developed their own language. Different platforms built their own audiences. Over time the division weakened the very side of the industry still trying to preserve what made crypto matter in the first place.

Allied Builders attempts to formalise that coordination structure explicitly.

The initiative launches with three verified allies: Qortal, a fully decentralised data, identity and communications network live since June 2020 with no foundation, no upgrade authority and no premine. LibertySwap, the privacy-first cross-chain DEX and aggregator building ZKX Wallet and Liberty Shield on PulseChain. And PulseChain itself, the full Ethereum fork launched in May 2023 with upgrade keys, admin roles and centralised control mechanisms deliberately stripped from the protocol.

Each ally is verified against six alignment checkpoints: immutable code, trustless architecture, self-custody by default, peer-to-peer coordination, code is law, and no upgrade authority.

The launch also marks the formal beginning of Zero Media, the communications and distribution arm of the Zero Trust Network that will carry these conversations into conferences, events and communities across the wider crypto space. ZeroMedia.one is live alongside allied.win.

As Veritya Thalassa wrote in the founding article, the deeper conversation underneath all of this has always been about removing control itself. Removing the hidden levers sitting behind systems people mistakenly believe they own. Once people begin confronting those questions properly again, the entire conversation around crypto starts changing.

Allied Builders attempts to give those conversations durable coordination mechanisms for the first time.

Source: allied.win, pulsechain.nexus, x.com/i_am_zerotrust

South Carolina Codifies Self-Custody Rights and Bans CBDC Participation

On May 19, 2026, South Carolina Governor Henry McMaster signed Senate Bill 163 into law. The legislation passed with near-unanimous bipartisan support and represents one of the most comprehensive state-level digital asset frameworks enacted in the United States to date.

The law operates across four major areas.

The first is an explicit pre-emptive ban on central bank digital currencies. No state agency, department or political subdivision may accept payment in a CBDC or participate in any Federal Reserve CBDC pilot programme. The provision effectively isolates the state's public financial infrastructure from any future federally mandated digital currency system.

The second codifies the individual right to self-custody. The state cannot mandate the use of custodial intermediaries. South Carolinians retain the legal right to store and transact with digital assets using self-hosted or hardware wallets without state interference.

The third establishes a right to mine. Local governments cannot impose zoning, licensing or noise regulations on digital asset mining operations that are more stringent than those applied to equivalent industrial businesses operating within the same zone.

The fourth provides regulatory exemptions that directly address years of federal enforcement ambiguity. Node operation, mining, staking and crypto-to-crypto exchanges are explicitly exempt from money transmitter licensing. Providing mining-as-a-service or staking-as-a-service does not constitute offering a security under state law.

South Carolina follows Kentucky, Oklahoma, Arkansas and Montana in establishing this type of framework. The pattern is becoming a coordinated state-level counter-movement to federal regulatory uncertainty. As more states pre-emptively ban CBDC participation, the political cost and logistical complexity of any nationwide retail CBDC rollout increases substantially.

The more important question is not whether additional states follow. It is how federal agencies respond once their authority begins colliding directly with an expanding coalition of state law.

Source: South Carolina Senate Bill 163, CipherBot analysis, pulsechain.nexus

Ecosystem Intelligence

ZKX Wallet v0.0.33: Privacy Infrastructure Becomes Seamless

ZKX Wallet shipped version 0.0.33 this week, delivering a major usability breakthrough for private transactions on PulseChain. Private balance synchronisation latency has been reduced from around ten minutes to fifteen seconds, creating a near real-time update experience for users operating within Railgun's shielded environment.

The update also strengthens the underlying privacy architecture. Additional verification checks for private balances have been added alongside improved protection for locally cached private data. A curated whitelist of verified PulseChain dApps is now live and can be updated in real time, reducing exposure to malicious applications through active dApp filtering. PulseChain transaction reliability has also been improved with reduced failed executions and lower nonce-related overhead when interacting with PulseChain dApps.

RAILGUN confirmed this week that zero-fee transactions are available for private-to-private 0zk transfers, removing cost as a barrier to staying within the shielded environment entirely. This complements ZKX Wallet's sync improvement by ensuring that once funds are shielded, users can transact privately at no additional cost.

The significance of the sync improvement extends beyond the technical metric itself. A privacy layer that responds in near real time behaves like infrastructure rather than an experiment. The friction that for years made Railgun privacy inaccessible to everyday users was never primarily about complexity. It was about waiting. That barrier has now been substantially reduced.

A high-engagement post this week framed the broader ZKX Wallet thesis. Most active PulseChain users currently maintain multiple browser extensions simultaneously for different purposes, MetaMask for HEX staking, Rabby, ProveX, OKX Wallet and others, each representing an additional attack surface and a degraded user experience. ZKX Wallet is building to consolidate those functions into a single unified extension covering trading, asset management and privacy. The team confirmed additional updates are targeting June 2026.

Source: x.com/zkxwallet, x.com/LibertySwapFi, x.com/RAILGUN_Project

LibertySwap: Manifesto, CCTP, Chainlink CCIP and Liberty Shield

LibertySwap published a manifesto-style ecosystem statement this week outlining the team's long-term direction in direct terms: building a DeFi trading interface where users can trade assets across chains while remaining fully in control of their funds. Self-custodial, censorship resistant, privacy preserving, reliable under pressure and simple enough for ordinary users to operate safely.

On May 20, LibertySwap confirmed two significant integration updates. Circle's CCTP is now live on LibertySwap with fees fully sponsored, enabling instant USDC transfers across PulseChain and other networks at no cost to users. Chainlink CCIP is also coming to LibertySwap to facilitate ETH transfers between PulseChain and other blockchains, further deepening PulseChain's connectivity to the wider ecosystem.

LibertySwap confirmed on May 23 that Liberty Shield is currently the only protocol capable of moving stablecoins and ETH across any chain to and from Railgun balances using a single unified anonymity set.

LibertySwap also published a direct critique of Privy infrastructure this week, arguing that dApps built on Privy give Big Tech and traditional payment processors a backdoor and control layer over user assets in exchange for convenience. The critique frames this as a fundamental architectural compromise that undermines the original purpose of crypto infrastructure itself.

Source: x.com/LibertySwapFi

Security Intelligence

The Exploit Wave Continues: Four Attack Surfaces in Five Days

May 2026 has now recorded more than $328 million in confirmed DeFi losses across at least eight major security incidents. Four of those incidents occurred within five days this week, each exposing a different structural vulnerability inside modern crypto infrastructure. The pattern is not bad luck. It is architecture.

Verus-Ethereum Bridge: $11.58M Validation Logic Failure

On May 17 to 18, 2026, an attacker drained approximately $11.58 million from the Verus-Ethereum bridge. The stolen assets, comprising 103.6 tBTC, 1,625 ETH and 147,000 USDC, were immediately swapped into approximately 5,402 ETH and consolidated into a single wallet. The attacker's address had been funded with 1 ETH through Tornado Cash approximately 14 hours before the exploit.

The attack did not compromise any notary keys. It did not involve an ECDSA bypass, a parser error or a hash-binding flaw. Blockchain security firm Blockaid confirmed the exploit stemmed from a missing source-amount validation in a function called checkCCEValues on the Ethereum side of the bridge. The contract correctly verified notary signatures, Merkle proofs and hash commitments. What it failed to verify was whether the value being requested on Ethereum actually matched the value locked on the Verus side.

The attacker spent approximately $10 in VRSC fees to trigger payouts totalling $11.58 million.

Security researchers estimated the fix required approximately ten lines of additional Solidity code. The Verus core team responded by halting the entire Layer 1 blockchain to contain the damage, a decision that confirmed the existence of centralised control mechanisms inside the protocol itself.

Following the exploit, negotiations resulted in the attacker returning approximately 4,052 ETH, equivalent to roughly $8.5 million or 75 percent of the stolen funds, to the Verus team wallet by May 22. The attacker retained approximately 1,350 ETH as a negotiated bounty. The partial recovery does not alter the architectural lesson. The validation logic failure that allowed $10 in fees to trigger $11.58 million in payouts remains the defining detail of the incident regardless of what was subsequently returned.

Source: Blockaid, PeckShield, Halborn, CoinDesk

Echo Protocol on Monad: Synthetic Asset Exploit

On May 19, 2026, an attacker exploited Echo Protocol on the Monad network through fraudulent eBTC minting. Approximately 1,000 unauthorised eBTC with a nominal paper value of roughly $76.6 million were minted during the exploit. However, actual realised losses were significantly lower due to limited downstream liquidity, with estimates placing extracted losses between approximately $816,000 and $870,000 before Echo regained administrative control and burned the remaining excess tokens. The attacker borrowed WBTC through Curvance, bridged assets across chains, swapped into ETH and routed approximately 385 ETH through Tornado Cash.

The incident exposed a familiar vulnerability within synthetic asset architecture. The value of the synthetic asset depends entirely on the integrity of the minting mechanism. When that mechanism fails, the attacker gains access not just to the protocol itself, but to every connected protocol that accepted the synthetic asset as collateral.

Source: On-chain data, blockchain security analysts

Bankr AI Wallet Service: $440,000 Prompt Injection Exploit

On May 20, 2026, Bankr, an AI-powered cryptocurrency trading interface, halted all platform transactions after an attacker gained control of at least 14 user wallets. One user reported losses of $150,000. Three attacker-controlled addresses were identified holding approximately $440,000 in assets.

The attack did not compromise any user device. It did not steal a seed phrase. The attacker exploited the trust relationship between automated AI agents. By feeding deceptive prompts to an external AI system believed to be Grok, they induced it to send commands to the Bankr bot. The Bankr bot, interpreting these as legitimate instructions, used its signing authority over the targeted user wallets to execute the attacker's transactions without direct user involvement.

The vulnerability existed in the machine-to-machine communication layer built for convenience. Bankr's architecture automatically generates wallets for users who interact with its bot via social media accounts, with private keys accessible to the platform's backend systems for natural language execution. This makes the service a de facto custodian with privileged signing authority over every user wallet on the platform.

Bankr committed to fully reimbursing all affected users. That commitment, while necessary, confirms its position as a centralised financial intermediary rather than a trustless protocol. This is not the first time Bankr and Grok have been exploited in combination. A prior incident involving the same attack vector, where an attacker manipulated the system into launching and draining a token, was documented previously and never fully mitigated.

The Bankr incident represents a maturing attack surface. As AI agents are granted increasing authority over financial infrastructure, the logic layer sitting between user intent and wallet execution becomes the vulnerability itself. The incident did not break the underlying cryptography. It exposed the trust assumptions embedded within the intermediary layer.

Source: CipherBot analysis, pulsechain.nexus, on-chain data

RetoSwap: $2.7M Monero P2P Exploit

On May 20, 2026, PeckShield flagged an active exploit on RetoSwap, a Monero-based peer-to-peer multisig DEX operating on the Haveno protocol. Approximately $2.7 million, equivalent to 7,000 XMR, was drained. RetoSwap responded by banning the exploiter's onion address and halting all trading activity.

The incident is notable for targeting privacy-focused infrastructure specifically. Haveno is designed around Monero's privacy guarantees and peer-to-peer multisig architecture, eliminating centralised custodianship at the settlement layer. The exploit appears to have targeted the trade protocol layer rather than the underlying Monero network itself, though a full technical postmortem had not been published at time of writing.

Source: PeckShield, RetoSwap official announcement

On-Chain Data

The PulseChain validator set stands at 49,978 active validators distributed across 37 countries and 236 cities with 426 nodes globally. Total PLS staked stands at 1.61 trillion, equivalent to approximately $11.72 million. Total wallets on the network have reached 1,559,065 with 9,272 daily active users. Total transactions all time stand at 435,030,181.

PulseX holds a combined TVL of $37.53M and ranks 30th among all DEXes globally by total value locked. Total PLSX burned since launch stands at 1.71 trillion, representing 8.10% of user supply. PLSX burned last 7 days: 5.88 billion. Daily burn rate: 731 million PLSX. The PulseChain bridge holds $51.83M in total value locked. Total stablecoin market cap on PulseChain stands at $33.83M across USDC, DAI, USDT and native stablecoins.

Source: pulsechainstats.com

The Wider Picture

Two stories this week that did not make the main sections deserve attention because together they frame the macro argument more clearly than any single exploit or legislative development.

Bitcoin Depot, the largest Bitcoin ATM operator in North America, filed for Chapter 11 bankruptcy. All 9,700 kiosks have been taken offline. The company cited a 49% year over year revenue decline, a $3.67 million hack, mounting litigation from multiple states and an increasingly hostile regulatory environment as the primary causes of collapse. Indiana and Tennessee enacted total bans. Massachusetts and Iowa filed lawsuits alleging predatory pricing structures.

Bitcoin Depot was not a crypto protocol. It operated as a centralised brokerage built around physical infrastructure, corporate liability, identifiable executives and thousands of physical chokepoints vulnerable to direct state intervention.

On the other side of that story, Iran launched Hormuz Safe, a maritime insurance platform for vessels transiting the Strait of Hormuz settling premiums in Bitcoin. Roughly one fifth of global oil supply passes through that corridor. Traditional maritime insurance markets rely on Western banking infrastructure, SWIFT messaging and international insurers operating within reach of US and allied sanctions enforcement. Bitcoin removes that external dependency from the settlement layer entirely.

Hormuz Safe itself is not decentralised. Governance remains centralised. Claims processing remains off chain. But the monetary rail beneath the system operates on infrastructure no single external authority can directly disable.

Read together, both stories point toward the same conclusion. Centralised crypto infrastructure remains vulnerable wherever identifiable control surfaces exist. Decentralised infrastructure increasingly functions as geopolitical infrastructure precisely because those external control points are absent.

Taken together, both developments reinforce the same structural pattern appearing elsewhere across the sector. Systems built around intermediaries inherit the vulnerabilities of those intermediaries. Systems built around immutable settlement and distributed control increasingly operate beyond them.

Further Reading

Several pieces published across Zero Trust Nexus this week expand on the stories covered in this issue. Veritya Thalassa's Allied Builders founding article provides the full strategic and coordination framework behind this week's top story. CipherBot's technical breakdowns on the Verus bridge exploit, Echo Protocol and Bankr examine the specific architectural failures exposed across this week's exploit wave. The South Carolina Senate Bill 163 analysis from Cipher Nexus Intelligence details the legislative mechanics behind the state's self-custody protections and anti-CBDC provisions.

Viewed together, the reporting outlines the same structural trend appearing across legislation, infrastructure, privacy systems and security failures simultaneously. The pressure points differ. The underlying architecture does not.

Trust nothing. Verify everything. ZERØ

All claims verified from primary sources. Editorial reporting only. Not financial advice.