On April 1, 2026, the Drift Protocol experienced a significant exploit, with publicly reported losses exceeding $270 million. The response in the digital-asset ecosystem was predictable: some called for more controls; others warned against overreach. Both instincts are right. The space between them is exactly where the most important policy work for crypto and open internet financial systems is being done.
In a thoughtful piece published on April 10, 2026, Circle Chief Strategy Officer Dante Disparte argued that openness without accountability is not a feature — it is a vulnerability. The argument deserves attention from any lawyer advising clients on digital assets, financial regulation, or technology compliance.
The United States Treasury Building in Washington, D.C. The Treasury Department is currently leading rulemaking under the GENIUS Act, including financial-integrity norms for stablecoins — the legislative window that will shape regulated digital-asset practice for the rest of the decade. Photo by Rchuon24 via Wikimedia Commons (CC BY-SA 3.0).
The power to freeze is not the power to police
Disparte's central distinction is the right one. When Circle freezes USDC, it is not because Circle has unilaterally decided someone's assets should be taken. It is because the law requires Circle to act — through compliance obligations triggered by lawful process from an appropriate authority.
That distinction matters as a matter of policy. It matters more as a matter of constitutional principle. The same framework that allows a regulated stablecoin issuer to act when legally compelled is the same framework that protects every USDC holder from arbitrary or politically motivated interference. Privacy and digital property rights are not casualties of compliance. They are design requirements that compliance is supposed to honor.
For lawyers, the Disparte framing maps cleanly onto familiar doctrine: a regulated intermediary acts at the direction of legal process. The intermediary's discretion is bounded. Due process, property rights, and the presumption that financial privacy is worth protecting all run through the same legal architecture that authorizes intervention in the first place.
This is what separates regulated payment stablecoins from unregulated alternatives. It is not just the technical architecture. It is the accountability architecture that surrounds it.
No single chokepoint can carry the weight
When bad actors exploit a protocol, they do not just steal funds. They probe for the gaps between layers — between wallets and protocols, between exchanges and issuers, between the issuer and the regulator. In those gaps, they move fast.
The lesson Disparte draws from this — and the lesson that should resonate with any practitioner who has worked on a complex regulatory matter — is depth of defense. Every participant in the stack must treat security and accountability as shared obligations:
- Protocols building technological circuit breakers, similar to market-halting mechanisms in traditional markets, that halt activity under defined conditions.
- Wallet providers with security and disclosure standards.
- Exchanges with KYC, AML, and sanctions compliance commensurate with the scale of activity they intermediate.
- Stablecoin issuers operating under regulated frameworks that authorize lawful action with bounded discretion.
- Regulators capable of moving at the speed of the threat without surrendering due process.
Premature or uninformed regulation that attempts to close the entire crypto value chain — by attacking self-hosted wallets, open blockchains, or permissionless DeFi innovation — risks imperiling the system the regulation is trying to protect.
The gap between law and speed is a policy problem
Here is where Disparte's argument has the most relevance for counsel. The technological tools to intervene rapidly already exist. The legal frameworks that would authorize faster, more coordinated action — while preserving property rights and privacy protections — do not yet fully exist.
That gap is not an accident. It is the predictable result of regulation lagging the technology it governs.
For attorneys advising clients in this space, three implications:
- Compliance standards are unsettled. A client's compliance program that was state-of-the-art in 2023 is, in 2026, a starting point. The framework will continue to move.
- Voluntary structures are doing real work. Issuer policies, exchange terms of service, custodian agreements, and DeFi protocol governance documents are filling regulatory gaps. Counsel who reads these documents carefully — and understands their relationship to the underlying statutes — is delivering more value than counsel who waits for the statute to catch up.
- Cross-border exposure is the rule, not the exception. A regulated U.S. stablecoin issuer operates under U.S. law. Its customers operate under their own jurisdictions' laws. The interaction between MiCA in Europe, the GENIUS Act in the U.S., and the various national frameworks is itself a developing field of practice.
The legislative moment
Disparte's piece is, among other things, a call for action on the GENIUS Act and the broader market-structure rules under the CLARITY Act. The argument: codify the standards now, before the next major incident forces a legislative overreaction that closes systems the lawful framework should keep open.
That is a policy judgment, but the underlying legal point is correct. A statutory framework that allows lawful, rights-preserving intervention at the speed of the threat is better than the absence of one — and better than an ad hoc framework written under the pressure of a single bad event.
For lawyers advising clients in financial services, payments, technology, or fintech, the legislative window is open. Comments to the Treasury rulemaking process are being filed now. Trade associations are drafting positions. Sophisticated clients should be at the table, not waiting for the result.
What this looks like in practice
Three pieces of practical advice for clients with material exposure to digital-asset regulation in 2026:
- Map your counterparties' compliance posture. A regulated issuer is a different counterparty risk than an unregulated one. The contracts should reflect that.
- Build the lawful-process pipeline. When law enforcement or a regulator does come calling, the workflow for receiving, evaluating, and responding to lawful process should already exist. The first time the workflow is built is not when it is needed.
- Treat policy engagement as part of compliance. The frameworks being written now will govern your client for the next decade. Engagement is not optional.
The full Disparte piece is worth reading. It is one of the more careful articulations of the open-systems-with-accountability framework now in circulation, and it points at the legal work that needs to be done — not at the regulator, but at every participant in the stack.
If your business or practice has material exposure to digital-asset regulation, payments compliance, or financial-services technology, request a private introduction or call 877-862-7188.