Key Highlights
- An attacker front-ran USPD’s proxy initialization on September 16 and held admin access for 78 days.
- The exploit used CPIMP, a known vulnerability patched industry-wide in July.
- USPD now plans V2, recovery pools, and user restitution as the investigation continues.
New findings reveal that the USPD stablecoin protocol suffered a major security breach that allowed an attacker to control its proxy contract for nearly three months, minting $1 million in unbacked tokens and draining protocol reserves. Rekt’s December 8 analysis shows the exploit came from a deployment-phase flaw that the industry had already patched months earlier.
The attacker exploited a narrow time window during USPD’s September 16 deployment, gaining admin rights before the protocol’s legitimate initialization was executed. A hidden proxy forwarded calls to the audited code, allowing normal operations while the attacker controlled the protocol.
24-second window leads to 78-day breach
As per Rekt’s analysis, the exploit hinged on USPD deploying its proxy and initializing it in separate transactions. Within 24 seconds of proxy deployment, the attacker front-ran the pending initialization, seizing admin privileges and embedding a “shadow” implementation.
The protocol functioned flawlessly for 78 days. Audits from Nethermind and Resonance confirmed the code was sound, but auditors never saw the malicious proxy injected during deployment. On December 4, the attacker struck: upgrading the proxy to malicious logic, minting 98 million USPD, draining 232 stETH, and converting roughly $300,000 into USDC.
Remaining funds, about $1 million, continue to sit in the attacker’s wallet, untouched.
The CPIMP vulnerability strikes again
The attack used CPIMP (Clandestine Proxy in the Middle of Proxy), a vulnerability security team patched across dozens of protocols during a July emergency effort. Firms like Dedaub, Venn Security, and SEAL 911 coordinated a 36-hour sweep that saved more than $10 million in assets.
According to Rekt’s breakdown, however, USPD has never applied the recommended safeguards. While the audits certifying its logic were valid, the lack of atomic deployment left the front door open. Researchers argue the breach was preventable, as the same attack vector had compromised Kinto earlier this year.
USPD offered a 10% bounty for fund recovery, but December 8 activity shows some stolen ETH already routed through Tornado Cash.
Protocol’s bounce back
USPD plans to launch a rebuilt V2 in Q2 2026, introduce recovery pools funded by protocol revenue, and issue claim tokens to affected users. The team has also opened a private channel for the 230 impacted addresses.
Despite the exploit, the USPD stablecoin has maintained its dollar peg, though liquidity is down significantly. The protocol insists that no flaws existed in its smart contract logic, only in the handling of deployment.
The incident is poised to become a case study in DeFi risk management: audits alone are not enough, deployment must be secured, and known vulnerabilities cannot be ignored.
Also read: Hacker Exploits Binance Co-CEO’s WeChat to Pump Mubarakah Token
