USPD is facing a severe security breach after an attacker quietly gained control of its proxy contract months ago and used that access to mint new tokens and drain funds.
Summary
- USPD suffered an exploit after an attacker seized proxy admin rights during deployment.
- The breach led to unauthorized USPD minting and stETH outflows worth about $1 million.
- The incident adds to a month of major exploits affecting exchanges and decentralized finance protocols.
USPD disclosed the incident on Dec. 5, saying the exploit allowed an attacker to mint roughly 98 million USPD and remove about 232 stETH, worth around $1 million. The team urged users not to buy the token and to revoke approvals until further notice.
Attackers used hidden proxy control
The protocol stressed that its audited smart contract logic was not the source of the failure. USPD said firms such as Nethermind and Resonance had reviewed the code, and internal tests confirmed expected behavior. Instead, the breach came from what the team described as a “CPIMP” attack, which is a tactic that targets the deployment window of a proxy contract.
According to USPD, the attacker front-ran the initialization process on Sept. 16 using a Multicall3 transaction. The attacker jumped in before the deployment script finished, grabbed admin access, and slipped in a hidden proxy implementation.
In order to keep the malicious setup hidden from users, auditors, and even Etherscan, that shadow version forwarded calls to the audited contract.
The camouflage worked because the attacker manipulated event data and spoofed storage slots so that block explorers displayed the legitimate implementation. This left the attacker in full control for months until they upgraded the proxy and executed the minting event that drained the protocol.
USPD said it is working with law enforcement, security researchers, and major exchanges to trace funds and halt further movement. The team has offered the attacker a chance to return 90% of the assets under a standard bug-bounty structure, saying it would treat the action as a whitehat recovery if the funds are sent back.
Exploit adds to a month of heavy
The USPD incident arrives during one of the another active periods for exploits this year, with losses across December already passing $100 million.
Upbit, one of South Korea’s largest exchanges, confirmed a $30 million breach tied to Lazarus Group earlier this week. Investigators say the attackers posed as internal administrators to obtain access, continuing a pattern that has pushed Lazarus-linked thefts above $1 billion this year.
Yearn Finance also faced an early-December exploit affecting its legacy yETH token contract. Attackers used a bug that allowed unlimited minting, producing trillions of tokens in one transaction and draining about $9 million in value.
The run of incidents highlights the rising sophistication in DeFi-focused attacks, particularly those that target proxy contracts, admin keys, and legacy systems. Security teams say interest is picking up around decentralized multi-party computation tools and hardened deployment frameworks as protocols look to reduce the impact of single-point failures.
