Bug that can drain all your tokens impacting ‘thousands’ of sites

Welcome to The Protocol, CoinDesk’s weekly wrap of the most important stories in cryptocurrency tech development. I’m Margaux Nijkerk, a reporter at CoinDesk.

In this issue:

• New React bug that can drain all your tokens is impacting ‘thousands’ of websites
• Ripple Expands $1.3B RLUSD Stablecoin to Ethereum L2s via Wormhole in Multichain Push
• Aave DAO Pushes Back as Interface Fees Shift Away From Treasury
• NFT Project Pudgy Penguins Takes Over Las Vegas Sphere in Holiday Campaign

Network News

BUG THAT COULD DRAIN WALLET AFFECTS THOUSANDS OF WEBSITES: A critical vulnerability in React Server Components is being actively exploited by multiple threat groups, putting thousands of websites — including crypto platforms — at immediate risk with users possibly seeing all their assets drained, if impacted. The flaw, tracked as CVE-2025-55182 and nicknamed React2Shell, allows attackers to execute code remotely on affected servers without authentication. React’s maintainers disclosed the issue on Dec. 3 and assigned it the highest possible severity score. Shortly after disclosure, GTIG observed widespread exploitation by both financially motivated criminals and suspected state-backed hacking groups, targeting unpatched React and Next.js applications across cloud environments. React Server Components are used to run parts of a web application directly on a server instead of in a user’s browser. The vulnerability stems from how React decodes incoming requests to these server-side functions. In simple terms, attackers can send a specially crafted web request that tricks the server into running arbitrary commands, or effectively handing over control of the system to the attacker. The bug affects React versions 19.0 through 19.2.0, including packages used by popular frameworks such as Next.js. Merely having the vulnerable packages installed is often enough to allow exploitation.— Shaurya Malwa Read more.

RIPPLE COMING TO ETH L2S: Ripple, the payments-focused blockchain firm closely related to the XRP Ledger (XRP), is taking its U.S. dollar-backed stablecoin to Ethereum layer-2 (L2) blockchains including Optimism, Coinbase’s Base, Kraken’s Ink and Uniswap’s Unichain in a push to embed the $1.3 billion token deeper into the multichain ecosystem. The company said it is starting with a test phase ahead of a wider rollout expected next year, pending regulatory approval by the New York Department of Financial Services (NYDFS). The pilot integrates Wormhole’s Native Token Transfers (NTT) standard, which allows RLUSD to move natively across chains without wrapping or synthetic assets. This helps maintain liquidity and regulatory control while supporting a range of decentralized finance (DeFi) use cases across networks optimized for speed and lower costs. Stablecoins are rapidly growing as a key piece of digital-finance plumbing connecting traditional finance and the crypto economy. They are a $300 billion class of cryptocurrencies, with prices pegged to fiat money like the U.S. dollar. — Krisztian Sandor Read more.

AAVE PROTOCOL INTERFACE DEBATE INTENSIFIES: A debate inside Aave’s DAO is raising questions about who controls the protocol’s interface and who benefits financially from it. The issue surfaced after Aave Labs integrated decentralized exchange aggregator CoWSwap into the app.aave.com interface earlier this month, replacing earlier Paraswap routing used for collateral swaps. While the change was framed as a user-experience upgrade offering improved execution and MEV protection, delegates later flagged that swap-related fees were no longer flowing to the Aave DAO treasury. An open letter from Orbit delegate EzR3aL argued that the integration introduced front-end fees of roughly 15 to 25 basis points that accrue to an external recipient rather than the DAO. On-chain data cited in the post showed weekly distributions of ether tied to CoWSwap’s partner-fee mechanism across multiple networks, potentially amounting to millions of dollars annually. That surplus has since declined as routing shifted to CoWSwap’s batch-auction model, which prioritizes execution certainty over price improvement. But at the center of the debate is a distinction Aave Labs says has always existed: the protocol versus the product. In a forum reply, Aave Labs said the interface is operated, funded and maintained independently from the protocol governed by the DAO. Under this model, the DAO controls on-chain parameters, interest rates and protocol-level fees, while Labs retains discretion over optional, application-level features such as swap routing and interface monetization. “Any monetization applies only to accessory features,” Aave Labs wrote, arguing that this separation preserves protocol neutrality and avoids centralizing economic control at the base layer. Critics, however, say the practical reality has been different. Marc Zeller of the Aave Chan Initiative (ACI) said there had been a long-standing expectation that monetization tied to the aave.com frontend — including swap surplus and flash-loan-assisted execution — would benefit the DAO, especially given that the brand, governance legitimacy and much of the underlying development were funded by tokenholders. — Shaurya Malwa Read more.

PUDGY PENGUINS TAKE OVER VEGAS: Once a breakout non-fungible token (NFT) project during the 2021 crypto boom, Pudgy Penguins is turning to real-world visibility with a high-profile ad placement at the Las Vegas Sphere during Christmas week. Only a few crypto-related brands have secured ad space at the Sphere, a massive LED-covered venue known for its immersive displays and performances by acts like U2 and the Eagles. A bitcoin-focused activation ran in July, but other examples have been rare. Pudgy Penguins’ ad will run for several days starting December 24 and will include multiple animated segments, according to a person familiar with the deal. The brand spent roughly $500,000 on the placement — standard for a run at the Sphere. “It’s sort of showing that a crypto project can exceed and go out of crypto, touch the hearts and minds of everyday consumers,” Vedant Mangaldas, chief of strategy and brand at Pudgy Penguins, told CoinDesk. He said that the deal was made possible because the project has a “real business” behind it. – Helene Braun Read more.

In Other News

• Securitize will offer what it calls the first fully compliant onchain trading platform for real public stocks in early 2026, blurring the lines between traditional markets and Web3 infrastructure. The company’s system allows investors to directly own tokenized shares of public companies, issued and recorded onchain, and tradable through a blockchain-based interface, according to an announcement. Unlike synthetic token models that track stock prices via offshore entities or derivatives, Securitize’s approach offers full legal ownership. Each share is issued by the company itself and logged on its official cap table, the firm said. “This is not a synthetic price tracker or an IOU against a custodian,” Securitize wrote in its announcement. “These are real, regulated shares: issued onchain, recorded directly on the issuer’s cap table, and tradable through a familiar Web3 swap-style experience.” That means token holders get real shareholder rights, including dividends and voting privileges, and their assets sit under self-custody, with no middlemen rehypothecating shares behind the scenes. The assets are, nevertheless, permissioned and can only be transferred between compliant, whitelisted wallets. — Francesco Rodrigues Read more.
• Credit card giant Visa (V) is launching USDC settlement in the United States, letting issuer and acquirer partners settle obligations to the card network in Circle’s dollar-pegged stablecoin. The move marks the U.S. phase of a stablecoin settlement program that has reached a $3.5 billion annualized run rate as of Nov. 30, according to a Visa press release. The new option is meant to give banks and fintechs near-instant funds movement, seven-day-a-week settlement and more predictable liquidity around weekends and holidays, while keeping the consumer card experience unchanged. — Will Canny Read more.

Regulatory and Policy

• U.S. Senator Elizabeth Warren has asked for another U.S. national-security probe into a corner of the crypto sector, specifying concerns with PancakeSwap, a decentralized exchange she flagged as trying to amplify coins issued by President Donald Trump-connected World Liberty Financial Inc. She said the exchange, which operates across several blockchains and is a major protocol on Binance’s chain, should be reviewed for connection to “any improper political influence by the Trump Administration on enforcement decisions,” Warren said in a Monday letter to Treasury Secretary Scott Bessent and Attorney General Pam Bondi, asking for them to look into it, echoing a similar request she was involved with last month regarding WLFI. “As Congress considers crypto market structure legislation — including rules to prevent terrorists, criminals, and rogue states from exploiting decentralized finance (DeFi) to fund their activities — it is critical to understand whether you are seriously investigating these risks,” wrote Warren, who is the ranking Democrat on the Senate Banking Committee that must mark up the legislation and approve it before the wider Senate can take a vote. — Jesse Hamilton Read more.
• The U.S. Federal Deposit Insurance Corp. has rolled out the first official rule proposal stemming from the new law governing stablecoin issuers, with its board voting to open a 60-day public comment period on its system for handling applications from its regulated banks looking to issue stablecoins from subsidiaries. The agency — led by Acting Chairman Travis Hill, who is also President Donald Trump’s nominee for the permanent seat — will gather comments and review them before it can release a final rule. The Tuesday proposal, approved by all three members of the shorthanded board, would establish the procedures for accepting applications, reviewing them under a 120-day approval window and offering an appeal process for those rejected. “Under the proposal, the FDIC would adopt a tailored application process that would enable the FDIC to evaluate the safety and soundness of an applicant’s proposed activities based on the statutory factors while minimizing the regulatory burden on applicants,” said Hill, whose nomination could be confirmed as soon as this week by the Senate. The Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act was the first major crypto law approved by Congress, and it set out a complex array of regulators for companies wishing to issue stablecoins, the dollar-tied tokens vital to transactions in the digital assets sector. For insured depository institutions, the FDIC is the assigned regulator. — Jesse Hamilton Read more.

Calendar

• Feb. 10-12, 2026: Consensus, Hong Kong
• Feb. 17-21, 2026: EthDenver, Denver
• Mar. 30-Apr. 2, 2026: EthCC, Cannes
• Apr.15-16, 2026: Paris Blockchain Week, Paris
• May 5-7, 2026: Consensus, Miami