TL;DR
- The USPD protocol suffered a critical breach that allowed an attacker to mint 98M tokens and withdraw over $1M in liquidity without triggering any alerts.
- The attack exploited a CPIMP vector with a clandestine proxy and a shadow contract that operated undetected for months.
- The hacker deposited 3,122 ETH, triggered a minting multiplier bug, and drained 237 stETH before converting part of the loot into $300,000 in USDC via Curve.
USPD experienced a critical breach that enabled an attacker to mint 98 million tokens and withdraw over $1 million in liquidity.
The episode exposes a rare attack vector combining a clandestine proxy, preemptive initialization, and a shadow contract that operated undetected for months despite multiple external audits. The protocol is working to contain the impact while coordinating legal actions and offering a standard bounty if the attacker returns the funds.
How the USPD Attack Happened
The incident began when the hacker deposited roughly 3,122 ETH as collateral and triggered a bug that multiplied the minting capacity tenfold in a single transaction. This maneuver created 98 million USPD and drained an additional 237 stETH. Part of the stolen assets were then converted into approximately $300,000 in USDC via Curve. The team warned users not to buy USPD and to revoke all approvals linked to the affected contract.
Subsequent analysis revealed that the attack used a vector called CPIMP, which allows interference in the proxy initialization process before deployment scripts execute. The attacker intercepted the initialization on September 16 through a Multicall3 transaction and took administrative control before the protocol could apply its usual checks. They then installed a shadow contract that forwarded calls to the audited code but manipulated events and storage slots to make Etherscan display the legitimate implementation. This camouflage hid the intrusion for months and enabled large-scale minting without alerting validators or users.
Bounty Offer for the Attacker
USPD stated that its code had passed audits from Nethermind and Resonance and that the flaw was not in the contract logic but in a hard-to-detect deployment vector. The immediate priority is tracing the funds, freezing addresses, and coordinating with centralized and decentralized exchanges. The protocol offered to close the case if the attacker returns 90% of the assets and keeps a 10% bug bounty.
The incident adds to a series of recent attacks in the DeFi ecosystem. In November, Yearn Finance suffered two exploits linked to its yETH token, with combined thefts of over $12 million, though part of the funds have already been recovered. Balancer is also progressing in its restitution process after losing $128 million in an attack.
