The USPD is facing a serious security breach after attackers secretly gained control of agency contracts months ago and used that access to mint new tokens and exfiltrate funds.
summary
- USPD fell victim to an exploit in which an attacker gained proxy administrator privileges during deployment.
- This breach resulted in the fraudulent minting and exfiltration of approximately $1 million worth of stETH by the USPD.
- The incident adds to a month of major exploits affecting exchanges and decentralized finance protocols.
USPD disclosed the incident on December 5th, stating that the exploit allowed the attackers to mint approximately 98 million USPD and delete approximately 232 stETH worth approximately $1 million. The team called on users to revoke their authorizations and not to purchase tokens until further notice.
Attacker used hidden proxy controls
The protocol emphasized that the audited smart contract logic was not the cause of the failure. USPD said companies including Nethermind and Resonance reviewed the code, and internal testing confirmed expected behavior. Rather, this breach was due to what the team described as a “CPIMP” attack, a tactic that targets the implementation period of proxy contracts.
🚨 Urgent Security Alert: USPD Protocol Exploitation 🚨
1/ We have identified significant abuse of USPD protocols resulting in fraudulent minting and liquidity leaks.
Don’t buy USPD. Please revoke all authorizations immediately.
— USPD.IO | Decentralized States Dollar (@USPD_io) December 4, 2025
You may also like: Ethereum smart contracts exploited by AI: GPT-5 and Claude demonstrate multi-million dollar vulnerabilities
According to USPD, the attacker used a Multicall3 transaction to perform the initialization process on September 16th. The attacker entered the deployment script before it completed, gained administrative access, and sneaked into the hidden proxy implementation.
To keep the malicious setup hidden from users, auditors, and even EtherScan, its shadow version forwarded calls to the audited contract.
This spoofing worked because the attacker manipulated the event data and spoofed the storage slots, allowing the block explorer to view the legitimate implementation. This left the attackers with complete control for several months until they upgraded the proxy and ran a mint event that drained the protocol.
USPD said it is working with law enforcement, security researchers and major exchanges to track the funds and prevent further movement. The team said it offered the attackers the opportunity to return 90% of their assets under a standard bug bounty scheme and would treat the action as a white-hat recovery if the funds were returned.
Exploits make your month even heavier
The US police incident comes during one of the busiest periods of exploitation this year, with losses already exceeding $100 million in December.
Upbit, one of South Korea’s largest exchanges, confirmed a $30 million breach related to Lazarus Group earlier this week. Investigators say the attackers gained access by posing as internal administrators, continuing a pattern that has led to more than $1 billion in Lazarus-related theft this year.
Yearn Finance also faced an exploit affecting its legacy yETH token contract in early December. The attackers exploited a bug that allowed for unlimited minting, generating trillions of tokens in a single transaction and exfiltrating approximately $9 million in value.
The series of incidents highlights the growing sophistication of DeFi-focused attacks, particularly those targeting proxy contracts, administrative keys, and legacy systems. Security teams say there is growing interest in decentralized multiparty computing tools and hardened deployment frameworks as protocols seek to reduce the impact of single points of failure.
read more: Balancer repays $8M recovery funds to liquidity provider after $128M v2 exploit
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
