Welcome to The Protocol, CoinDesk’s weekly coverage of the biggest stories in cryptocurrency technology developments. I’m Margaux Nijkerk, a reporter for CoinDesk.
This issue:
- New React bug that could drain all your tokens is affecting “thousands” of websites
- Ripple expands $1.3B RLUSD stablecoin to Ethereum L2 via wormhole in multi-chain push
- Aave DAO fights back as interface fees shift away from treasury
- NFT project Chunky Penguin takes over Las Vegas realm at holiday event
network news
Potential wallet-draining bug affects thousands of websites: A critical vulnerability in React Server Components is being actively exploited by multiple threat groups, putting thousands of websites (including encrypted platforms) at immediate risk, and if affected, users could see all their assets drained. The flaw is tracked as CVE-2025-55182 and nicknamed React2Shellallowing an attacker to remotely execute code on an affected server without authentication. React’s maintainers disclosed the issue on December 3 and assigned it the highest severity score. Shortly after the disclosure, GTIG observed widespread exploitation by financially motivated criminals and suspected state-sponsored hacking groups targeting unpatched React and Next.js applications in cloud environments. The React server component is used to run parts of a web application directly on the server instead of in the user’s browser. The vulnerability stems from how React decodes incoming requests to these server-side functions. In short, an attacker can send specially crafted web requests that trick the server into running arbitrary commands or effectively handing over control of the system to the attacker. The bug affects React versions 19.0 to 19.2.0, including packages used by popular frameworks such as Next.js. Simply installing the vulnerable package is often enough to allow exploitation. Shaurya Malwa Read more.
Ripple is coming to ETH L2S: Ripple, the payments-focused blockchain company closely associated with the XRP Ledger (XRP), is bringing its USD-backed stablecoin to Ethereum layer 2 (L2) blockchains, including Optimism, Coinbase’s Base, Kraken’s Ink and Uniswap’s Unichain, in a push to embed the $1.3 billion token more deeply into the multi-chain ecosystem. The company said it is currently in a testing phase and expects a wider rollout next year, pending regulatory approval from the New York Department of Financial Services (NYDFS). The pilot project integrates Wormhole’s Native Token Transfer (NTT) standard, which allows RLUSD to be moved natively across chains without the need for wrapping or synthetic assets. This helps maintain liquidity and regulatory control while supporting a range of decentralized finance (DeFi) use cases across the network to optimize speed and reduce costs. Stablecoins are growing rapidly as a key part of the digital financial pipeline connecting traditional finance and the crypto-economy. They are cryptocurrencies worth $300 billion, with prices pegged to fiat currencies such as the U.S. dollar. — Christian Sandel Read more.
The AAVE protocol interface debate is intensifying: A debate within Aave’s DAO has raised questions about who controls the protocol interface and who benefits financially from it. The issue arose after Aave Labs integrated decentralized exchange aggregator CoWSwap into the app.aave.com interface earlier this month, replacing the previous Paraswap routing for collateral swaps. While the change was considered a user experience upgrade that provided improved execution and MEV protection, representatives later noted that fees associated with the exchange no longer flow to the Aave DAO vault. An open letter from Orbit on behalf of EzR3aL noted that the integration introduced approximately 15 to 25 basis points in front-end fees, which are borne by external recipients rather than the DAO. On-chain data cited in the post shows that the amount of ether associated with CoWSwap’s partner fee mechanism is distributed across multiple networks every week, potentially amounting to millions of dollars per year. Surpluses have since declined as routing shifted to CoWSwap’s batch auction model, which prioritizes execution certainty over price improvement. But at the center of the debate is what Aave Labs says has always been a distinction: protocol versus product. Aave Labs said in a forum reply that the interface is operated, funded and maintained independently of the DAO-governed protocol. In this model, the DAO controls on-chain parameters, interest rates, and protocol-level fees, while Labs retains discretion over optional application-level features such as exchange routing and interface monetization. “Any monetization will only apply to ancillary features,” Aave Labs wrote, arguing that this separation maintains protocol neutrality and avoids centralizing economic control at the base layer. Yet critics say the reality is different. Marc Zeller of the Aave Chan Initiative (ACI) said that there has long been an expectation that monetization related to the aave.com front-end, including swap surplus and flash loan-assisted execution, would benefit the DAO, especially given that the brand, governance legitimacy, and much of the underlying development are funded by token holders. — Shaurya Malwa Read more.
Chunky penguins take over Las Vegas: Once the breakout non-fungible token (NFT) project during the 2021 cryptocurrency boom, Pudgy Penguins is now pivoting to real-world visibility with a high-profile advertising run in Las Vegas arenas over Christmas. Only a handful of cryptocurrency-related brands have been given advertising space at the Sphere, a large LED-covered venue known for its immersive displays and performances by bands like U2 and Eagles. There was a Bitcoin-centric activation in July, but other examples are rare. The ad for Pudgy Penguins will run for a few days starting on December 24 and will include multiple animated clips, according to a person familiar with the matter. The brand spent about $500,000 on the implant – which is standard for running on the Sphere. “It kind of shows that a crypto project can transcend and go beyond the crypto space and touch the hearts and minds of everyday consumers,” Vedant Mangaldas, head of strategy and brand at Pudgy Penguins, told CoinDesk. He said the deal was possible because there was “real business” behind the project. – Helen Braun Read more.
Other news
- Securitize will offer what it calls the first fully compliant real public equity on-chain trading platform in early 2026, blurring the lines between traditional markets and Web3 infrastructure. According to the announcement, the company’s system allows investors to directly own tokenized shares of public companies, which are issued and recorded on-chain and can be traded through a blockchain-based interface. Unlike synthetic token models that track stock prices through offshore entities or derivatives, Securitize’s approach provides full legal ownership. The company said each share is issued by the company itself and is recorded on its official share structure table. “This is not a synthetic price tracker, nor is it an IOU against the custodian,” Securitize wrote in its announcement. “These are real, regulated shares: issued on-chain, recorded directly on the issuer’s equity structure, and tradable through a familiar Web3 exchange-style experience.” This means that token holders receive real shareholder rights, including dividends and voting rights, and their assets are under self-custody, with no middlemen re-hypothecating shares behind the scenes. However, these assets are permissioned and can only be transferred between compliant whitelisted wallets. — Francisco Rodriguez Read more.
- Credit card giant Visa (V) is launching USDC settlement in the United States, allowing issuers and acquirer partners to settle obligations to the card network in Circle’s U.S. dollar-pegged stablecoin. According to Visa’s press release, the move marks the entry into the U.S. phase of the stablecoin settlement program, which has annualized runtime of $3.5 billion as of November 30. The new option is designed to provide banks and fintech companies with near-instant funds movement, settlement seven days a week, and more predictable liquidity during weekends and holidays, while keeping the consumer card experience unchanged. — Will Canney Read more.
Regulation and Policy
- U.S. Senator Elizabeth Warren has called for another U.S. national security investigation into a corner of the cryptocurrency industry, specifying concerns about PancakeSwap, which she labeled as an attempt to expand tokens issued by World Liberty Financial Inc., which has ties to President Donald Trump. In a letter to Treasury Secretary Scott Bessent on Monday, Warren said she said the exchange, which operates across multiple blockchains and is a major protocol on Binance Chain, should be scrutinized for ties to “any inappropriate political influence from the Trump administration on law enforcement decisions.” Attorney General Pam Bondi asked them to investigate, echoing a similar request she made last month regarding WLFI. “As Congress considers cryptocurrency market structure legislation, including rules to prevent terrorists, criminals, and rogue states from using decentralized finance (DeFi) to fund their activities, it is critical to know whether it is seriously investigating these risks,” Warren wrote. Warren, the ranking Democrat on the Senate Banking Committee, must flag the legislation and approve it before it can be voted on in the Senate. — Jesse Hamilton Read more.
- The Federal Deposit Insurance Corp. has unveiled the first official rule proposals stemming from new laws governing stablecoin issuers, with its board of directors voting to open a 60-day public comment period on its system for applications from regulated banks seeking subsidiaries to issue stablecoins. The agency is led by Acting Chairman Travis Hill, President Donald Trump’s nominee for a permanent seat on the Security Council. The agency will collect comments and review them before issuing a final rule. Tuesday’s proposal, approved by all three members of the short-staffed board, would establish a process for accepting applications, review them within a 120-day approval window and provide an appeals process for rejected applications. “Under the proposal, the FDIC would adopt a tailored application process that enables the FDIC to evaluate the safety and reasonableness of an applicant’s proposed activities based on statutory factors while minimizing the applicant’s regulatory burden,” Hill said. The Senate could confirm his nomination as soon as this week. The Stablecoin Guidance and Establishing a National Innovation in the United States (GENIUS) Act, the first major cryptocurrency law approved by Congress, creates a complex set of regulators for companies looking to issue stablecoins, tokens pegged to the U.S. dollar that are critical to trading in the digital asset space. For insured depository institutions, the FDIC is the designated regulatory agency. — Jesse Hamilton Read more.
calendar
- February 10-12, 2026: Consensus, Hong Kong
- February 17-21, 2026: EthDenver, Denver
- March 30 – April 2026: EthCC, Cannes
- April 15-16, 2026: Paris Blockchain Week, Paris
- May 5-7, 2026: Consensus, Miami