Welcome to The Protocol, CoinDesk’s weekly wrap-up of the most important stories in cryptocurrency technology development. I’m Margaux Nijkerk, a reporter at CoinDesk.
In this issue:
- New React Bug That Can Drain All Your Tokens Affects ‘Thousands’ Of Sites
- Ripple Extends $1.3B RLUSD Stablecoin to Ethereum L2s via Wormhole in Multichain Push
- Aave DAO pushes back when interface fees are moved away from the treasury
- NFT Project Pudgy Penguins take over Las Vegas Sphere in holiday campaign
Network news
WALLET-EMPTY ERROR AFFECTS THOUSANDS OF WEBSITES: A critical vulnerability in React Server Components is being actively exploited by multiple threat groups, putting thousands of websites – including crypto platforms – at immediate risk, with users possibly seeing all their assets drained if affected. The bug, tracked as CVE-2025-55182 and called React2Shellallows attackers to execute code remotely on affected servers without authentication. React’s maintainers disclosed the issue on December 3 and assigned it the highest possible severity level. Shortly after disclosure, GTIG observed widespread exploitation by both financially motivated criminals and suspected government-sponsored hacker groups targeting unpatched React and Next.js applications across cloud environments. React Server Components are used to run parts of a web application directly on a server instead of in a user’s browser. The vulnerability stems from how React decodes incoming requests to these server-side functions. Simply put, attackers can send a specially crafted web request that tricks the server into running arbitrary commands or effectively handing over control of the system to the attacker. The bug affects React versions 19.0 through 19.2.0, including packages used by popular frameworks such as Next.js. Simply having the vulnerable packages installed is often enough to allow exploitation.— Shaurya Malwa Read more.
RIPPLE IS COMING TO ETH L2S: Ripple, the payments-focused blockchain company closely related to the XRP Ledger (XRP), is taking its US dollar-backed stablecoin to Ethereum layer-2 (L2) blockchains, including Optimism, Coinbase’s Base, Kraken’s Ink and Uniswap’s Unichain in a push to embed $1.3 billion in multichain de-tokeneeper. The company said it is starting with a testing phase ahead of a wider rollout expected next year, pending regulatory approval by the New York Department of Financial Services (NYDFS). The pilot integrates Wormhole’s Native Token Transfers (NTT) standard, which allows RLUSD to move natively across chains without wrappers or synthetic assets. This helps maintain liquidity and regulatory control, while supporting a variety of decentralized finance (DeFi) cases across networks optimized for speed and lower costs. Stablecoins are growing rapidly as an important part of the digital-finance plumbing that connects traditional finance and the crypto-economy. They are a $300 billion class of cryptocurrencies, with prices pegged to fiat money like the US dollar. — Christian Sandor Read more.
AAVE PROTOCOL INTERFACE DEBATE INTENSIFIES: A debate inside Aaves DAO raises questions about who controls the protocol’s interface and who benefits financially from it. The issue emerged after Aave Labs integrated the decentralized exchange aggregator CoWSwap into the app.aave.com interface earlier this month, replacing the previous Paraswap routing used for security swaps. While the change was framed as a user experience upgrade offering improved execution and MEV protection, delegates later flagged that swap-related fees no longer flow into Aave DAO’s coffers. An open letter from Orbit delegate EzR3aL claimed that the integration introduced front-end fees of around 15 to 25 basis points that accrue to an external beneficiary instead of the DAO. On-chain data cited in the post showed weekly distributions of ether tied to CoWSwap’s partner fee mechanism across multiple networks, potentially amounting to millions of dollars annually. This profit has since declined as routing moved to CoWSwap’s batch auction model, which prioritizes execution security over price improvements. But at the center of the debate is a distinction that Aave Labs says has always existed: the protocol versus the product. In a forum response, Aave Labs said that the interface is operated, funded and maintained independently of the protocol governed by the DAO. Under this model, the DAO controls on-chain parameters, interest, and fees at the protocol level, while Labs retain discretion over optional application-level features such as swap routing and interface monetization. “Any monetization applies only to accessory features,” Aave Labs wrote, arguing that this separation preserves protocol neutrality and avoids centralizing financial control at the base layer. However, critics say the practical reality has been different. Marc Zeller of the Aave Chan Initiative (ACI) said there had been a long-standing expectation that monetization tied to the aave.com frontend — including swap profits and flash loan-assisted execution — would benefit the DAO, especially given that the brand, governance legitimacy and much of the underlying development was funded by token holders. — Shaurya Malwa Read more.
PUDGY PENGUINS TAKE OVER VEGAS: Once a breakout non-fungible token (NFT) project during the 2021 crypto boom, Pudgy Penguins is turning to real-world visibility with a high-profile ad placement in the Las Vegas Sphere this Christmas week. Only a few crypto-related brands have secured advertising space at the Sphere, a massive LED-covered venue known for its immersive exhibits and performances by the likes of U2 and the Eagles. A bitcoin-focused activation ran in July, but other examples have been rare. The Pudgy Penguins’ ad will run for several days starting Dec. 24 and will include several animated segments, according to a person familiar with the deal. The brand spent about $500,000 on the location — standard for a run at Sphere. “It kind of shows that a crypto project can transcend and go beyond crypto, touch the hearts and minds of everyday consumers,” Vedant Mangaldas, head of strategy and brand at Pudgy Penguins, told CoinDesk. He said the deal was made possible because the project has a “real business” behind it. – Helen Braun Read more.
In other news
- Securitize will offer what it calls the first fully compatible onchain trading platform for real public stocks in early 2026, blurring the lines between traditional markets and Web3 infrastructure. The company’s system allows investors to directly own tokenized shares of public companies, issued and registered on the chain, and tradable through a blockchain-based interface, according to a release. Unlike synthetic token models that track share prices via offshore entities or derivatives, Securitize’s approach offers fully legal ownership. Each share is issued by the company itself and logged on its official cap table, the firm said. “This is not a synthetic price tracker or an IOU against a custodian,” Securitize wrote in its announcement. “These are real, regulated shares: issued on-chain, registered directly on the issuer’s cap table and tradable through a familiar Web3 swap-style experience.” This means that token holders get real shareholder rights, including dividends and voting rights, and their assets are in self-custody, without any intermediaries re-hypothecating shares behind the scenes. The assets are nevertheless allowed and can only be transferred between compatible whitelisted wallets. — Francesco Rodrigues Read more.
- Credit card giant Visa ( V ) is launching USDC settlement in the US, letting issuer and acquirer partners settle liabilities to the card network in Circle’s dollar-pegged stablecoin. The move marks the US phase of a stablecoin settlement program that has reached an annual run rate of $3.5 billion per transaction. November 30, according to a press release from Visa. The new capability is intended to provide banks and fintechs with near-instant movement of funds, seven-day-a-week settlement and more predictable liquidity around weekends and holidays, while keeping the consumer card experience unchanged. — Will Canny Read more.
Legislation and policy
- U.S. Sen. Elizabeth Warren has called for another U.S. national security probe into a corner of the crypto sector, detailing concerns with PancakeSwap, a decentralized exchange she flagged as an attempt to bolster coins issued by President Donald Trump-linked World Liberty Financial Inc. She said the exchange, which operates across multiple blockchains and is an important protocol for Trump’s political affiliation with Binance’s, should be affected by the political connection to Binance’s. Administration on enforcement decisions,” Warren said in a Monday letter to Treasury Secretary Scott Bessent and Attorney General Pam Bondi asking them to look into it, echoing a similar request she was involved in last month regarding WLFI. those risks,” wrote Warren, who is the ranking Democrat on the Senate Banking Committee, which must mark the legislation it can pass and approve before the broad vote. — Jesse Hamilton Read more.
- US Federal Deposit Insurance Corp. has rolled out the first official draft rules stemming from the new law governing stablecoin issuers, with the board voting to open a 60-day public comment period on its system for handling applications from its regulated banks seeking to issue stablecoins from subsidiaries. The agency — led by Acting Chairman Travis Hill, who is also President Donald Trump’s nominee for the permanent seat — will gather comments and review them before releasing a final rule. Tuesday’s proposal, approved by all three members of the shorthanded board, would establish the procedures for accepting applications, review them during a 120-day approval window and offer an appeals process for those rejected. “Under the proposal, the FDIC will adopt a tailored application process that will enable the FDIC to evaluate the safety and soundness of an applicant’s proposed activities based on the statutory factors while minimizing the regulatory burden on applicants,” said Hill, whose nomination could be confirmed as soon as this week by the Senate. The Guiding and Establishing National Innovation for US Stablecoins (GENIUS) Act was the first major crypto law approved by Congress, and it laid out a complex set of regulators for companies looking to issue stablecoins, the dollar-pegged tokens essential to transactions in the digital asset sector. For insured depository institutions, the FDIC is the assigned regulator. — Jesse Hamilton Read more.
Calendar
- 10.-12. February 2026: Consensus, Hong Kong
- 17.-21. February 2026: EthDenver, Denver
- March 30-Apr. 2, 2026: EthCC, Cannes
- 15-16 Apr. 2026: Paris Blockchain Week, Paris
- 5.-7. May 2026: Consensus, Miami
