USPD Exploit Results in $1 Million Loss After Attackers Gain Proxy Control

Highlights:

• The USPD exploit allowed attackers to mint 98 million USPD tokens and steal $1 million in assets.
• The exploit was carried out through a sophisticated CPIMP attack targeting proxy contracts during deployment.
• USPD responded by offering a bug bounty to recover stolen funds and working with law enforcement.

The decentralized stablecoin protocol USPD has suffered a loss of $1 million due to a major exploit. On December 5, the USPD confirmed a breach that allowed hackers to gain control of its proxy contract. Through this access, the attackers minted unauthorized USPD tokens and withdrew funds, including approximately 232 stETH tokens. 

How the Exploit Happened

According to USPD, the exploit was a result of a “CPIMP attack.” This particular attack focused on the deployment window of the proxy contract. The attackers accessed the system via a Multicall3 transaction on September 16 and gained admin access before the deployment script was done. In doing so, they substituted the legitimate proxy implementation with a hidden malicious version.

🚨 URGENT SECURITY ALERT: USPD PROTOCOL EXPLOIT 🚨

1/ We have confirmed a critical exploit of the USPD protocol resulting in unauthorized minting and liquidity draining.

Please DO NOT buy USPD. Revoke all approvals immediately.

— USPD.IO | The Dollar of the Decentralized Nation (@USPD_io) December 4, 2025

The clever manipulation by the attackers allowed the breach to remain concealed for months. Their variant of the contract forwarded calls to the audited, legitimate code, and it was hard to detect. Even popular blockchain explorer Etherscan displayed the valid contract. The attackers managed the protocol without anyone noticing until they carried out the minting event and emptied USPD funds.

Additionally, USPD made it clear that the problem was not the audited code or the smart contract logic. Firms such as Nethermind and Resonance had thoroughly reviewed the protocol and made sure it was functioning as expected. The breach was, however, due to the implementation of the proxy contract and not an issue with the underlying contract.

Response and Ongoing Investigation

USPD responded swiftly after learning of the breach. The protocol’s team has informed law enforcement and is collaborating with security researchers. They are also actively tracing the stolen money to halt any further movement. USPD is also negotiating with the major exchanges to stop any trades involving the compromised tokens.

To mitigate the damage, the USPD team recommended that users cease buying the token and revoke all approvals on the protocol. They also provided the attackers with an opportunity to refund the stolen money as part of a typical bug bounty offer. The protocol would mark the incident as a whitehat recovery in case the attacker returns 90% of the stolen assets.

7/ To the Attacker:
We are willing to view this as a whitehat rescue.

If you return the funds (minus a standard 10% bug bounty), we will cease all law enforcement actions and consider this matter resolved.

Contact us immediately on any channel you wish, or simply return 90% of…

— USPD.IO | The Dollar of the Decentralized Nation (@USPD_io) December 4, 2025

A Growing Trend of DeFi Exploits

This USPD exploit is only one among a series of major exploits that have rocked the DeFi and cryptocurrency space recently. More than $100 million worth of assets have been affected in December alone, with this latest USPD exploit becoming a particularly noticeable case. At the end of November, South Korea’s Upbit exchange revealed a breach of about $37 million that was linked to the Lazarus Group, a well-known hacking group.

Additionally, Yearn Finance was attacked through its yETH token contract, which enabled attackers to mint trillions of tokens and drain $9 million in value. These attacks demonstrate the increasing complexity of DeFi-oriented attacks. Proxies, admin keys, and legacy systems are increasingly being targeted by hackers. As a result, security experts are currently calling for stronger, multi-party computation tools and deployment models to hedge against the single points of failure.