**The Protocol: Bug that can drain all your tokens impacting 'thousands' of sites**

The Protocol cover image

Welcome to The Protocol, CoinDesk's weekly wrap of the most important stories in cryptocurrency tech development. I’m Margaux Nijkerk, a reporter at CoinDesk.

**BUG THAT COULD DRAIN WALLET AFFECTS THOUSANDS OF WEBSITES**

A critical vulnerability in React Server Components is being actively exploited by multiple threat groups, putting thousands of websites — including crypto platforms — at immediate risk with users possibly seeing all their assets drained, if impacted. The flaw, tracked as CVE-2025-55182 and nicknamed React2Shell, allows attackers to execute code remotely on affected servers without authentication.

The vulnerability stems from how React decodes incoming requests to these server-side functions. In simple terms, attackers can send a specially crafted web request that tricks the server into running arbitrary commands, or effectively handing over control of the system to the attacker.

React Server Components diagram

React’s maintainers disclosed the issue on Dec. 3 and assigned it the highest possible severity score. Shortly after disclosure, GTIG observed widespread exploitation by both financially motivated criminals and suspected state-backed hacking groups, targeting unpatched React and Next.js applications across cloud environments.

**RIPPLE COMING TO ETH L2S**

Ripple, the payments-focused blockchain firm closely related to the XRP Ledger (XRP), is taking its U.S. dollar-backed stablecoin to Ethereum layer-2 (L2) blockchains including Optimism, Coinbase's Base, Kraken's Ink and Uniswap's Unichain in a push to embed the $1.3 billion token deeper into the multichain ecosystem.

The company said it is starting with a test phase ahead of a wider rollout expected next year, pending regulatory approval by the New York Department of Financial Services (NYDFS).

Ripple Ethereum L2 diagram

The pilot integrates Wormhole’s Native Token Transfers (NTT) standard, which allows RLUSD to move natively across chains without wrapping or synthetic assets. This helps maintain liquidity and regulatory control while supporting a range of decentralized finance (DeFi) use cases across networks optimized for speed and lower costs.

**AAVE PROTOCOL INTERFACE DEBATE INTENSIFIES**

A debate inside Aave’s DAO is raising questions about who controls the protocol’s interface and who benefits financially from it. The issue surfaced after Aave Labs integrated decentralized exchange aggregator CoWSwap into the app.aave.com interface earlier this month, replacing earlier Paraswap routing used for collateral swaps.

While the change was framed as a user-experience upgrade offering improved execution and MEV protection, delegates later flagged that swap-related fees were no longer flowing to the Aave DAO treasury.

Aave protocol debate diagram

An open letter from Orbit delegate EzR3aL argued that the integration introduced front-end fees of roughly 15 to 25 basis points that accrue to an external recipient rather than the DAO. On-chain data cited in the post showed weekly distributions of ether tied to CoWSwap’s partner-fee mechanism across multiple networks, potentially amounting to millions of dollars annually.

**PUDGY PENGUINS TAKE OVER VEGAS**

Once a breakout non-fungible token (NFT) project during the 2021 crypto boom, Pudgy Penguins is turning to real-world visibility with a high-profile ad placement at the Las Vegas Sphere during Christmas week. Only a few crypto-related brands have secured ad space at the Sphere, a massive LED-covered venue known for its immersive displays and performances by acts like U2 and the Eagles.

A bitcoin-focused activation ran in July, but other examples have been rare. Pudgy Penguins’ ad will run for several days starting December 24 and will include multiple animated segments, according to a person familiar with the deal.

Pudgy Penguins ad image

The brand spent roughly $500,000 on the placement — standard for a run at the Sphere. “It’s sort of showing that a crypto project can exceed and go out of crypto, touch the hearts and minds of everyday consumers,” Vedant Mangaldas, chief of strategy and brand at Pudgy Penguins, told CoinDesk.

**AND OTHER NEWS FROM THE WORLD OF CRYPTO**

* OpenAI founder Sam Altman brought artificial intelligence into every corner of people’s lives this year, from the way they work to the way they play. * AI has already radically transformed the crypto ecosystem in both good ways and bad, guiding trading decisions, aiding developers, and making hackers more efficient.

Stay ahead of the curve with The Protocol's weekly wrap. Sign up here to get it in your inbox every Wednesday.