USPD.io has confirmed that its US dollar–pegged stablecoin suffered a major security breach that allowed attackers to secretly mint nearly 100 million tokens and drain hundreds of stETH from its liquidity. The protocol warned users to halt any interactions with USPD, including buying the token or maintaining prior approvals, as the team works to contain the incident and assess the full scale of the damage.
According to USPD.io, the breach did not stem from flaws in the audited smart contract. Instead, the attackers targeted the project during a critical moment: the deployment of its proxy architecture. The protocol had undergone audits from Nethermind and Resonance, and USPD.io stressed that its codebase had been thoroughly tested. However, the exploit relied on a newly emerging attack vector that manipulated the deployment sequence rather than the contract logic itself.
The attack occurred on September 16 and was executed through a technique called CPIMP, short for Clandestine Proxy in the Middle of Proxy. By issuing a Multicall3 transaction at the right moment, the attackers seized administrative control of the protocol before the deployment script had finalised its configuration. With elevated permissions, they installed a hidden implementation contract that forwarded calls to the verified, audited version while quietly altering storage and emitting misleading event data. This setup allowed the shadow implementation to masquerade as the legitimate contract on blockchain explorers, making the exploit extremely difficult to detect.
Through this covert control, the attackers upgraded the proxy and minted roughly 98 million USPD tokens. They then drained around 232 stETH from the protocol. Early on-chain analysis from blockchain researcher Emmett indicated that the exploit began after the attacker deposited more than 3,000 ETH as collateral, used the vulnerability to mint tokens worth many times that amount, and ultimately withdrew over 230 stETH before exchanging the newly created USPD on Curve for about $300,000 in USDC.
USPD.io has begun working with law enforcement agencies, security partners, and centralised and decentralised exchanges to track the stolen funds. The attacker’s wallets have been flagged to limit further movement of the assets. The team also addressed the perpetrator directly, offering to treat the event as a whitehat rescue if 90 per cent of the funds are returned. In such a scenario, USPD.io said it would drop all legal actions and allow the attacker to keep the remaining 10 per cent as a bounty.
The protocol described the incident as deeply distressing, particularly given its investment in audits and adherence to best practices. It plans to publish a comprehensive post-mortem explaining how the attack unfolded and what measures will be taken to harden the system against similar threats.
The breach highlights the rapid evolution of exploit strategies in decentralised finance, where attackers increasingly focus on deployment-stage gaps and proxy manipulation rather than flaws in the contract logic itself. USPD.io’s swift disclosure and engagement with authorities demonstrate the kind of transparency that may help mitigate fallout in an industry where sophisticated exploits continue to push defensive tools to their limits.
