Hacker drains $1M from USPD stablecoin protocol

Decentralized finance protocol US Permissionless Dollar suffered a security breach resulting in unauthorized minting of its stablecoin and the draining of more than $1 million in liquidity. 

According to an incident report from the USPD team’s official X account, the attacker deposited roughly 3,122 ETH as collateral and exploited a bug that allowed them to mint approximately 98 million USPD tokens in a single transaction. 

The process created ten times the amount of tokens against the initial deposit and enabled the hacker to drain an additional 237 stETH collateral. The stolen stablecoins were subsequently converted into about $300,000 worth of USDC through decentralized exchange Curve.

The USPD protocol developers and several cybersecurity accounts, like PeckShield Alert, issued a warning to users immediately after identifying the breach, saying: 

“We have confirmed a critical exploit of the USPD protocol resulting in unauthorized minting and liquidity draining. Please DO NOT buy USPD. Revoke all approvals immediately.”

USPD hacker took advantage of proxies to trick protocol into minting 

The DeFi protocol’s report mentioned that the breach exploited a complex attack vector named “CPIMP,” short for Clandestine Proxy In the Middle of Proxy. USPD explained the attacker front-ran the proxy initialization on September 16 during deployment using a Multicall3 transaction. 

The hacker used CPIMP to seize administrative rights silently before the protocol’s scripts were fully executed, waiting for months to start minting coins without authorization. They implemented a “shadow” contract that forwarded calls to USPD’s audited code, then subtly implemented an event payload manipulation and storage slot spoofing to deceive Etherscan into displaying the original audited contract. 

“This camouflage allowed the attacker to hide in plain sight for months, bypassing verification tools and manual checks. Today, they used their hidden access to upgrade the proxy, mint ~98M USPD, drain ~232 stETH,” USPD wrote.

Blockchain analyst Emmet Gallic reiterated the DeFi protocol’s analysis, adding that a proxy initialization caused the attack during deployment. 

“The attacker claimed admin rights, installed a shadow implementation that spoofed Etherscan into showing the audited contract. The protocol was hacked for months,” he surmised.

USPD to continue with investigations, pledges bounty to hacker

In response to the attack, USPD stated that it is working closely with law enforcement and whitehat security groups to trace and freeze the stolen funds. “We have flagged the attacker’s addresses with all major CEXs and DEXs to freeze the flow of funds,” the team revealed.

The protocol also said it was willing to resolve the situation with the attacker if the funds are returned minus a standard 10% bug bounty. The protocol promised to cease all law enforcement actions if they accepted the offer and encouraged the attacker to contact them directly or return 90% of the stolen assets to see the matter resolved.

“We are devastated that despite rigorous audits and adherence to best practices, we fell victim to this emerging and highly complex attack vector. We are doing everything in our power to recover assets,” USPD told its community.

According to CoinMarketCap, the stablecoin’s peg to the greenback hasn’t been affected so far, but its volume has dropped by 20% within the last 24 hours to around $2.56 million.

DeFi stablecoin protocol breaches were once much bigger than what USPD faced, including a Euler Finance hack in 2023 that led to more than $197 million in losses after stablecoins were drained from its lending pools. 

Two DeFi protocols in recovery mode after November exploits

Last Monday, Yearn Finance became the latest protocol to suffer an exploit on its liquid-staking index token yETH. The perpetrator minted an effectively unlimited number of tokens and stole about $3 million in ETH. 

Yearn Finance had previously suffered a $9 million exploit in its yETH stableswap pool on November 30, but as Cryptopolitan reported on Wednesday, it has already begun recovering stolen funds. So far, the team has successfully reclaimed $2.39 million, which will be returned to affected depositors.

Balancer, another DeFi protocol that lost $128 million through a v2 breach, announced plans to reimburse approximately $8 million to liquidity providers last week.

Get up to $30,050 in trading rewards when you join Bybit today