September Blockchain Technology Update: Fusaka timeline confirmed, SIMD-0370 removes the CU cap and BNB Chain performance optimizations

Written by | GaryMa, Wu Blockchain

The WuBlockchain summarizes key developments in the blockchain technology space for September:

Bitcoin

● Bitcoin Core recently released a minor update v29.1, which includes: a substantial reduction of the minimum feerate thresholds for relay/packaging, helping improve block space utilization when the network is uncongested (once most nodes follow, low-fee transactions will propagate and confirm more easily); a new “log write-to-disk rate limiting” feature to prevent logs from exploding and filling disks under abnormal/malicious scenarios, improving node stability and operability; and a tightening in relay policy for “exceptionally high-sigops” transactions in advance of a future BIP54 consensus cleanup to reduce potential DoS risk (normal transactions are basically unaffected, and miners can still choose whether to include them).

Ethereum

● Fusaka upgrade progress: the testnet upgrade timetable is set (Holesky on October 1, Sepolia on October 14, Hoodi on October 28), and mainnet activation is tentatively slated for December 3; it’s confirmed that once Fusaka activates, the mainnet gas limit will be set to 60M (currently 45M);

● Glamsterdam upgrade preparations: EIP-7732/ePBS has previously been confirmed as the core consensus-layer proposal, and EIP-7928/Block-Level Access Lists as the core execution-layer proposal. Subsequent discussions/decisions on related EIPs may be postponed until after Fusaka goes live on mainnet.

● The Ethereum Foundation (EF) is strongly pushing a new standard, ERC-8004 “Trustless Agents,” and has made it a strategic priority led by the newly established decentralized AI team (dAI). The standard aims to solve the centralized trust bottlenecks and data silos in the agent-services ecosystem by building a complete on-chain audit trail through identity, reputation, and verification registries, enabling trustworthy cross-organization and cross-platform interactions. Since its release in August, ERC-8004 has gained support from multiple teams and seen application cases; the next key milestone will be the DevConnect conference in November 2025.

● It was announced that the Holešky testnet will be officially sunset two weeks after the Fusaka upgrade completes, at which point support for its client, testing, and infrastructure will cease. Since its launch in 2023, Holešky has been Ethereum’s largest public testnet, but issues such as validator exit backlogs have made it unsuitable for continued use. The team launched the replacement testnet Hoodi in March of this year to support subsequent protocol upgrades, while developers are advised to move to Sepolia.

● The Ethereum Foundation’s “Privacy & Scaling Explorations” team has been renamed “Ethereum Privacy Steward” (PSE) and released a privacy roadmap proposing end-to-end on-chain privacy built around three pillars: private writes, private reads, and private proofs. The roadmap shows the team is developing PlasmaFold, an L2 design supporting private transfers, with a prototype planned before the November Devconnect conference, alongside initiatives for private voting, compliant private DeFi, and privacy-preserving computation.

● The Ethereum Foundation announced the formation of the dAI team, led by core developer Davide Crapis, to drive Ethereum as the foundational layer for the AI economy and AI software development. In the near term, the focus is implementing the ERC-8004 standard to enable seamless trading for AI agents within the Ethereum ecosystem, with a release expected at the Devconnect conference in November. The long-term goal is to build decentralized AI infrastructure to prevent AI from being monopolized by a few large companies. The Foundation also disclosed it has begun research collaborations with several Silicon Valley firms.

● The $2 million Fusaka audit contest hosted on the Sherlock platform has opened, running for four weeks starting September 15. Its goal is a comprehensive review of the Fusaka upgrade to find vulnerabilities before they impact the network. In addition to the Fusaka audit contest, there is an ongoing bug bounty program with rewards up to $250,000.

● Ethereum co-founder Vitalik Buterin unveiled the latest roadmap today at a developer conference in Japan: in the short term, raise the Ethereum mainnet (L1) gas limit to scale while maintaining decentralization, using tools including ZK-EVM and block-level access lists; in the mid-term, focus on trustless asset transfers and fast settlement across L2s, advancing stage-2 rollups and state-read optimizations; and emphasize on-chain “write privacy” for scenarios such as payments and voting. The long-term goal is a secure, simple, quantum-resistant, formally verified “minimal Ethereum.”

Ethereum L2s

● The Ethereum Layer 2 network Kinto announced it will shut down on September 30. Previously, on July 10, the platform suffered a contract-vulnerability attack in which the attacker forged 110,000 Kinto tokens and cashed out approximately 577 ETH (about $1.55 million), causing the token to plunge around 95%. Although the team later launched the “Phoenix” relaunch plan to try to resume operations, the added debt made further financing unviable. Kinto founder Ramón Recuero pledged to personally compensate Morpho bad-debt users up to $1,100 per address. The platform will return 76% of principal to Phoenix borrowers, and remaining assets will also be used for compensation. He said the platform will be wound down in an orderly manner while safeguarding users’ interests as much as possible.

● On September 10 the Polygon network experienced delays in finality. While the chain continued operating with blocks and checkpoints being produced, there was a 10–15 minute delay in finality due to a milestone issue. The team quickly identified the root cause that day and released Bor v2.2.11-beta2 and Heimdall v0.3.1, the latter as a hard fork executed at 11:00 p.m. that night.

● Mantle Network announced it has completed a mainnet upgrade to adopt OP Succinct, becoming the world’s largest-TVL ZK Rollup with total value locked exceeding $2 billion. Mantle announced its pivot to ZK Rollup last year and is among the first to adopt OP Succinct. This upgrade marks the completion of its transition and lays the foundation for a “liquidity chain” ecosystem supporting DeFi, RWA, and institutional adoption.

Solana

● Jump Firedancer proposed SIMD-0370, planning to remove the fixed per-block compute unit cap after the Alpenglow upgrade. Currently each block has a uniform compute limit (now 60 million CUs, proposed to increase to 100 million), regardless of hardware performance, which constrains the potential of faster validator nodes. Under the new approach, block producers will try to pack more transactions to earn more fees, while validators unable to complete execution within the allotted time will skip that block. Weaker nodes would thus lose rewards, incentivizing hardware upgrades or code optimization. As overall network performance improves, block capacity can be pushed higher, creating a positive feedback loop. This means the block cap would no longer be set by a static number but driven by actual network processing capacity.

● The Solana improvement proposal SIMD-0268 has been accepted (the next step is a community vote on activation), raising the cross-program invocation (CPI) nesting limit from 4 to 8. The proposal aims to increase dApp interoperability complexity by allowing more inter-program calls within a single transaction, thereby improving overall network composability. Cross-Program Invocation (CPI) is how programs call each other. Perpetuals (Perps) typically require multiple program calls for position management, liquidation, and cross-margin operations. The old 4-level nesting limit constrained these interactions; raising it to 8 enables deeper single-transaction interactions and clearer composability.

● Crypto-native R&D firm Temporal published an introduction to Asynchronous Market Queues (AMQs), a method to enable transaction reordering within Solana programs without modifying the Solana protocol. The article first outlines market-maker difficulties in canceling limit orders when asset prices jump, introducing the goal of “Application-level Control of Execution (ACE),” and then presents AMQ as a technical solution that implements ACE at the Solana application layer via “instruction classification + priority ordering,” ultimately solving market pain points and supporting ecosystem innovation. The article also notes AMQ is not a perfect solution, as it can potentially be bypassed by validators and, to achieve priority ordering, sacrifices some instruction atomicity and composability.

BNB Chain

● BNB Chain validators have proposed lowering the minimum gas from 0.1 gwei to 0.05 gwei and shortening the block interval from 750 milliseconds to 450 milliseconds. If implemented, the fee per transaction would drop to about $0.005, further cementing BSC’s competitiveness among low-fee public chains. The past two fee cuts (3→1 gwei, 1→0.1 gwei) already reduced fees by 75%, with daily transactions surging 140% to 12 million. The proposal also sets a core principle: as long as the staking yield remains above 0.5%, gas fees should be pushed as low as possible. The long-term goal is to reduce fees to $0.001 per transaction.

Hyperliquid

● Permissionless Spot Quote Assets went live on mainnet, allowing any stable asset that meets on-chain liquidity and market-making thresholds to “self-serve” as a quote asset for creating new spot trading pairs.

● The USDH stablecoin was enabled as the first “permissionless quote asset.”

Near

● Near Protocol completed a network upgrade on September 23. The core change raises the cap on shard validator seats: 300 → 500 (already effective on mainnet), which means more validators can directly participate in shard-level consensus and block production, improving decentralization and fault tolerance. In tandem, the number of “mandates” per shard was increased: 65 → 105 (with the security threshold parameter raised accordingly), aiming to maintain/improve security and collusion resistance while expanding participation.

Aptos

● Aptos Labs stated that the latest consensus upgrade Velociraptr (AIP 131) will introduce an Optimistic Proposals mechanism in which validators propose a new block every network latency, rather than every two, potentially shortening block time by up to 40%. Currently, Aptos block time is about 100 milliseconds. Initial deployment on the Aptos validator network is expected to begin in September, with full deployment expected to complete in October.

Security-related

● Circle President Heath Tarbert said the company is studying a reversibility mechanism for USDC transactions to address scams or hacks, an idea that is in tension with the core crypto principle of “irreversible transactions.” Tarbert said exploring reversibility while ensuring settlement finality could help increase traditional finance’s acceptance of stablecoins, but it also raises discussions about decentralization principles and centralized risk.

● Cybersecurity firm HiddenLayer reported a “CopyPasta license attack” vulnerability in AI coding tool Cursor, where attackers can hide malicious instructions in LICENSE.txt and README.md files to trick the AI tool into injecting vulnerabilities into codebases. The tool is widely used by crypto exchanges such as Coinbase.

● The account of a well-known developer on NPM was compromised, and a large-scale supply-chain attack is underway, affecting multiple JavaScript packages with over 1 billion downloads and potentially impacting the entire ecosystem. Attackers are planting malicious code in trusted packages to live-replace users’ crypto addresses and steal funds. Guillemet suggested that users without hardware wallets temporarily stop on-chain transactions, and that developers immediately check dependencies. NPM has disabled affected versions, but some frontend risk remains.

● iPhone 17 adopts MIE hardware-level “memory safety” technology, with EMTE real-time verification enabled by default to intercept out-of-bounds, UAF, and other 0-day exploit chains and reduce side-channel risks. Statistics indicate that memory-safety vulnerabilities account for 70% of all software vulnerabilities. This upgrade helps improve the security of wallet signatures and Passkeys.

● According to a ReversingLabs report, hackers are using Ethereum smart contracts to hide malicious URLs to bypass security scans. Researchers found two NPM packages, “colortoolsv2” and “mimelib2,” that can query on-chain smart contracts to obtain command-and-control server addresses and then download second-stage malware, thereby evading traditional detection. Researchers noted that while North Korea’s Lazarus Group has used similar techniques, this is the first discovery of using smart contracts to host malicious URLs, indicating continuous evolution in attack strategies.

● Security company Mosyle disclosed that a newly discovered malware, ModStealer, is targeting cryptocurrency users across macOS, Windows, and Linux. Researchers noted that after being uploaded to VirusTotal, it went undetected by mainstream antivirus tools for almost a month. Mosyle said ModStealer is specifically designed to steal private keys, certificates, credential files, and browser wallet data. Its built-in code targets 56 wallet extensions on Safari and Chromium browsers.

● A variant of the AMOS credential-stealing trojan, Odyssey, is being distributed via fake AI tool ads on Twitter and other channels, luring users to download malware disguised as AI tool clients. It uses AppleScript as the main payload to steal system information, browser data, crypto wallet information, and other sensitive data.

● Yala released an analysis report on the September 14 attack, stating that the attacker used temporary deployment keys during the authorized cross-chain bridge deployment to set up an unauthorized bridge and stole 7.64 million USDC (about 1,636 ETH). The YU token briefly depegged to $0.20 before stabilizing at $0.94. The team said no protocol vulnerability was exploited and Bitcoin reserves were unaffected. The attacker has returned 22.287 million YU tokens, and the remaining 7.713 million YU were converted into 1,635.572 ETH. Yala announced it would burn the illegally minted YU tokens on September 23, restore the 1:1 USDC redemption ratio, and compensate liquidation penalties, while emphasizing strengthened real-time monitoring and third-party audits.

● Shibarium released an update on the September 12 cross-chain bridge security incident, stating that attackers exploited validator signing authority to maliciously withdraw multiple assets via the PoS bridge, and further exits have now been restricted. Official measures include limiting bridging functionality, upgrading contract protections, rotating validator signing keys, migrating to multi-party hardware custody, and cooperating with security firms and law enforcement for investigation. The team confirmed that about 10 validator keys were compromised, exposing insufficient decentralization; going forward, they will focus on enhancing validator dispersion and key management. Bridging will not resume until security hardening and third-party audits are complete, and a full technical postmortem and user compensation plan will be announced after risks are eliminated.

● SlowMist CISO 23pds posted that researchers have discovered a new attack method that can bypass WebAuthn key sign-in. Attackers can hijack the WebAuthn API via malicious browser extensions or XSS vulnerabilities on websites, thereby forcing a downgrade to password login or tampering with the key registration process to steal user credentials. The attack does not require access to the device itself or Face ID, and once a user signs in with a security key on an infected website, their identity may be impersonated and the account compromised. WebAuthn is a passwordless authentication standard based on public-key cryptography, intended to replace traditional password logins with hardware security keys or biometric devices.

● The UXLINK project experienced anomalous transactions totaling about $11.3 million. One address first removed contract admin privileges via delegateCall, then called “addOwnerWithThreshold” to add new multisig members, and transferred about 4 million USDT, 500,000 USDC, 3.7 WBTC, and 25 ETH; the USDC and USDT on Ethereum were swapped for DAI, while USDT on Arbitrum was swapped for ETH and bridged to Ethereum. Minutes later, another address received about 10 million UXLINK (about $3 million) and began selling; it still holds about $2.2 million in unsold tokens.

● The Seedify Fund cross-chain bridge was hacked; the attacker used the bridge contract to mint across multiple chains and sold large amounts of SFUND tokens, and still holds over $1.2 million in BNB assets. CZ posted that industry security personnel helped track the SFUND bridge hacker; $200,000 has been frozen at the HTX exchange, while the remaining funds remain on-chain and the attacker is suspected to be from North Korea. Major CEXs have blacklisted the related addresses.

Others

● Phala Network stated that because Phala’s Polkadot parachain slot will expire on November 20, 2025, it has submitted a proposal to stop the parachain and fully migrate to an Ethereum L2 to align with Intel’s roadmap (TDX + GPU confidential computing) and the broader EVM ecosystem.

● The BRC20 protocol announced a major upgrade, “BRC2.0,” which has integrated the Ethereum Virtual Machine (EVM). The upgrade was carried out jointly by Ordinals developer Best in Slot and BRC20 founder Domo, aiming to give users Ethereum-like composability and programmability while being secured by the Bitcoin network. The upgrade was activated at Bitcoin block height 912,690. (CoinDesk)

● Berachain performed a hard fork upgrade at 00:00 on September 4 (UTC+8). Two execution clients were forked: bera-reth and bera-geth. The upgrade includes: Base Fee set to 1 gwei (BRIP-0002: to alleviate congestion and ensure successful inclusion); block time locked to 2 seconds (BRIP-0003: previously fluctuated between 1.9–2.2s, making inflation rate and APR more stable); block rewards confirmed and kept consistent (BRIP-0004: PoL rewards are automatically distributed per block, with no need for manual triggers).

● Payments giant Stripe and crypto investment firm Paradigm officially released the jointly developed stablecoin payment public chain Tempo, which has entered private testing. The first batch of partners includes Visa, Deutsche Bank, Shopify, Nubank, OpenAI, Revolut, Anthropic, and Standard Chartered, who will jointly participate in design. Stripe CEO Patrick Collison said Tempo is committed to bringing payment acceptance, cross-border settlement, remittances, micropayments, and AI payments on-chain. Tempo will operate as an independent entity, with Paradigm CEO Matt Huang leading a 15-person team for development.

● South Korea’s largest crypto exchange, Upbit, unveiled its self-developed public chain GIWA (Global Infrastructure for Web3 Access). The GIWA chain is built on OP Stack and positioned as an Ethereum Layer 2, aiming to lower the barrier to Web3. According to official information, the GIWA chain features 1-second block times and full EVM compatibility, and developers can directly migrate Solidity contracts and continue using Ethereum tools. Previously, Upbit launched the “Giwa” website with a countdown page.

● The Coinbase engineering team released x402 Bazaar, a discovery platform for AI agents designed to expand its ecosystem based on stablecoin micropayments. Built on the previously released open-source protocol x402, the platform supports AI agents in making instant stablecoin payments across websites. Coinbase said x402 Bazaar fits scenarios such as “pay per visit,” including obtaining market data, calling image or video generation models, and subscribing to real-time financial information, aiming to establish a more complete autonomous transaction flow for AI agents.

● SynFutures stated it will soon carry out a comprehensive protocol upgrade to build a high-performance on-chain suite spanning perpetuals, spot, yield, and RWA, achieving millisecond-level latency and improved institutional-grade liquidity, with an invite-only beta to open in Q4. According to the latest CMC data, the price of the SynFutures token F rose today to $0.0114, up 71.04% on the day.

● The high-performance L1 blockchain Monad has open-sourced its execution client.

● The zero-knowledge computing (ZK) decentralized protocol Boundless announced its mainnet launch, aiming to provide verifiable computation capabilities for different blockchains. The network adopts a Proof of Verifiable Work (PoVW) mechanism and incentivizes with the ZKC token. Projects such as the Ethereum Foundation, Base, Wormhole, and EigenLayer have already started collaborations or integrations with it. The team said more than 30 protocols have integrated its proof functionality.

● Scam Sniffer detected another NPM supply-chain attack: @ctrl/tinycolor (with 2.2 million weekly downloads) published a malicious version that runs an information stealer during npm’s postinstall script to scan and exfiltrate sensitive data. This malicious payload abuses the legitimate sensitive-information scanning tool TruffleHog. Please check whether you downloaded the affected version, pause install/update operations, and pin the package to a known-safe version.

● Movement announced it will upgrade from a sidechain architecture to a Move-based Layer 1 (L1) blockchain, aiming to break current performance bottlenecks and achieve over 10,000 transactions per second (TPS) with sub-second latency. After the upgrade, the Move 2 language will be introduced to add support for enum types, index notation, and compound statements. The network will have MOVE token validators handle consensus and validation, and will open non-lockup token staking to improve decentralization and network stability.

Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish