How the USPD stablecoin protocol hack exposed a sophisticated clandestine proxy attack

Investigators are still piecing together how the USPD stablecoin protocol was drained, as fresh on-chain data and security analyses continue to emerge.

Over $1 million in liquidity drained from USPD

The decentralized finance protocol US Permissionless Dollar suffered a severe security breach that enabled unauthorized stablecoin minting and the loss of more than $1 million in liquidity. According to an incident report shared on the protocol team’s official X account, the attacker deposited roughly 3,122 ETH as collateral on the platform.

The report noted that the exploiter then used this collateral to trigger a bug that allowed them to mint approximately 98 million USPD tokens in a single transaction. Moreover, the faulty logic generated around ten times the appropriate token amount against the original deposit, massively inflating supply and breaking the system’s economic assumptions.

This process also gave the attacker a path to drain an additional 237 stETH from the protocol’s collateral pools. The stolen stablecoins were then converted into about $300,000 worth of USDC via the decentralized exchange Curve, in what security analysts described as a rapid liquidity exit. However, most of the minted tokens remain a focus of ongoing stolen funds tracing efforts.

USPD developers and several cybersecurity monitoring accounts, including PeckShield Alert, quickly warned users once the exploit was confirmed. The team urged community members: “Please DO NOT buy USPD. Revoke all approvals immediately,” stressing that the protocol had suffered both liquidity draining and major governance compromise.

Clandestine proxy attack method used in the breach

The protocol’s technical report said the breach relied on a complex vector called CPIMP, short for Clandestine Proxy In the Middle of Proxy. USPD explained that the attacker front-ran the proxy initialization during deployment on September 16, using a Multicall3 transaction to slip malicious steps into the setup.

Using this method, the exploiter silently seized administrative privileges before the deployment scripts had fully executed. That said, instead of acting immediately, they waited for months before starting to mint coins without authorization. The attacker deployed a “shadow” implementation contract that forwarded all calls to USPD’s audited code, masking the malicious changes behind a familiar interface.

Within this hidden implementation, the attacker gradually introduced event payload manipulation and storage slot spoofing. This combination deceived Etherscan into displaying the original audited contract, even though the live proxy pointed to their own backdoored logic. This camouflage, USPD said, “allowed the attacker to hide in plain sight for months, bypassing verification tools and manual checks” and finally upgrade the proxy, mint about 98M USPD and drain roughly 232 stETH.

A blockchain analyst later echoed the protocol team’s breakdown of the incident. According to their post, flawed proxy initialization during deployment opened the door: the exploiter claimed admin rights, installed the shadow implementation, and used metadata spoofing so block explorers kept showing the supposedly safe audited contract. However, behind that facade, the cpimp exploit details made clear that privileged minting logic had been subverted.

USPD launches investigation and opens talks with attacker

In the immediate aftermath, USPD said it is working with law enforcement agencies and whitehat security groups to track the money trail and freeze assets where possible. “We have flagged the attacker’s addresses with all major CEXs and DEXs to freeze the flow of funds,” the team wrote, signaling a coordinated response to the uspd protocol hack.

At the same time, the protocol signaled willingness to pursue a bug bounty negotiation instead of a purely punitive route. It publicly offered to settle if the attacker returns the funds, minus a standard 10% bug bounty. Moreover, USPD pledged to halt all law enforcement action if the exploiter accepts and either contacts the team directly or returns 90% of the stolen assets on-chain.

The protocol’s statement to its community reflected both frustration and determination. “We are devastated that despite rigorous audits and adherence to best practices, we fell victim to this emerging and highly complex attack vector. We are doing everything in our power to recover assets,” USPD said, describing the case as a stark warning about the evolving sophistication of clandestine proxy attack techniques.

According to CoinMarketCap, the protocol’s native USPD stablecoin has so far maintained its intended peg to the U.S. dollar. However, trading activity has weakened notably, with 24-hour volume dropping by 20% to around $2.56 million. Analysts note that secondary liquidity stresses could still appear if confidence erodes further.

Other DeFi protocols still recovering from November exploits

The USPD incident comes as multiple decentralized finance platforms are still recovering from their own serious breaches. Last Monday, Yearn Finance disclosed an exploit affecting its liquid-staking index token yETH, in which the attacker minted what was effectively an unlimited number of tokens and stole about $3 million in ETH.

Yearn Finance had already endured a separate $9 million exploit in its yETH stableswap pool on November 30. However, the team has begun to claw back capital. So far, it has successfully recovered around $2.39 million, which is earmarked to be returned to affected depositors as part of a structured remediation plan.

Another DeFi project, Balancer, is also in recovery mode after a v2 breach that caused losses of roughly $128 million. The protocol has announced plans to reimburse approximately $8 million to liquidity providers. Moreover, these high-profile cases, combined with the USPD exploit, are reinforcing calls for more robust proxy initialization procedures and on-chain verification standards across the sector.

Overall, the USPD hack underscores how advanced proxy-based exploits, complex deployment races, and liquidity draining strategies are reshaping the risk profile for DeFi stablecoin protocols, even when they have undergone rigorous audits.