USPD.io, a stablecoin pegged to the US dollar, has confirmed a critical exploit in its protocol that allowed attackers to mint tokens without authorization and drain millions in liquidity. The team immediately warned users not to buy USPD and to revoke all approvals.

USPD.io emphasized that the exploit was not caused by any flaw in the smart contract itself but was the result of a sophisticated attack that targeted the deployment process. It confirmed that its protocol had undergone audits by top security firms Nethermind and Resonance, and its smart contract code is fully unit-tested.

Details of the attack

The breach took place on September 16 during the deployment of USPD’s proxy system. USPD.io said the attackers used a method called CPIMP (Clandestine Proxy In the Middle of Proxy). They executed a ‘Multicall3’ transaction to gain administrative rights before the deployment script had finished.

Once they had control, the attackers set up a “shadow” implementation. This hidden version forwarded calls to the legitimate, audited contract while altering storage slots and event data. 

Because of this, blockchain explorers such as Etherscan showed the verified contract as normal, hiding the attackers’ control. Using this hidden access, they upgraded the proxy, minted roughly 98 million USPD tokens, and drained around 232 stETH from the protocol.

Response from USPD.io

USPD.io said it is working closely with law enforcement and whitehat security groups to recover the stolen funds. The attacker’s addresses have been flagged with major centralized and decentralized exchanges to prevent further movement. 

The addresses involved are 0x7C97313f349608f59A07C23b18Ce523A33219d83 and 0x083379BDAC3E138cb0C7210e0282fbC466A3215A.

The team also offered the attacker a chance to return the funds. USPD.io said that if 90% of the stolen assets are returned, all law enforcement action would be halted. Attackers can keep 10% of stolen funds as a bug bounty. The team described this as a potential whitehat rescue.

In a statement, USPD.io said: “We are devastated that despite rigorous audits and adherence to best practices, we fell victim to this emerging and highly complex attack vector. We are doing everything in our power to recover assets.”

A full technical post-mortem is expected to be released soon to explain how the exploit happened and what measures will prevent future attacks.

Implications

The exploit demonstrates just how sophisticated attacks in the crypto space have become. According to USPD.io, the attackers focused on the deployment process rather than the smart contract itself, using proxy manipulation and shadow implementations to remain undetected.

The incident also underscores the value of transparency and fast action. By openly communicating what happened and working with authorities, USPD.io is showing how teams can respond effectively to major security breaches in decentralized finance.

Also Read: Yearn Finance Recovers $2.4M After $9M yETH Exploit Shakes DeFi