Protocol Exploited, Leading to Unauthorized Stablecoin Minting and Liquidity Drain
Decentralized finance protocol US Permissionless Dollar (USPD) has experienced a significant security breach, resulting in the unauthorized minting of its stablecoin and the draining of over $1 million in liquidity.
According to an incident report shared by the USPD team on their official X account, an attacker deposited approximately 3,122 ETH as collateral. This collateral was then exploited through a bug that allowed the attacker to mint around 98 million USPD tokens in a single transaction. This process effectively created ten times the amount of tokens against the initial deposit.
The exploit also enabled the hacker to drain an additional 237 stETH collateral. Subsequently, the stolen stablecoins were converted into approximately $300,000 worth of USDC through the decentralized exchange Curve.
The USPD protocol developers, along with several cybersecurity accounts such as PeckShield Alert, issued an immediate warning to users upon identifying the breach. They stated: "We have confirmed a critical exploit of the USPD protocol resulting in unauthorized minting and liquidity draining. Please DO NOT buy USPD. Revoke all approvals immediately."
Exploit Leveraged Proxies for Deceptive Token Minting
The DeFi protocol's report detailed that the breach exploited a complex attack vector known as "CPIMP," which stands for Clandestine Proxy In the Middle of Proxy. USPD explained that the attacker initiated a front-running attack on the proxy initialization on September 16, during the deployment phase, using a Multicall3 transaction.
2/ This was not a flaw in our smart contract logic.
The USPD protocol underwent rigorous security audits by top-tier firms @NethermindEth and Resonance. Our code is fully unit-tested and adheres to strict industry standards. The logic itself remains secure.
— USPD.IO | The Dollar of the Decentralized Nation (@USPD_io) December 4, 2025
The hacker utilized CPIMP to silently gain administrative rights before the protocol's scripts were fully executed. This allowed them to wait for months before commencing unauthorized coin minting. They implemented a "shadow" contract that forwarded calls to USPD's audited code, subtly manipulating the event payload and spoofing storage slots to deceive Etherscan into displaying the original audited contract.
"This camouflage allowed the attacker to hide in plain sight for months, bypassing verification tools and manual checks. Today, they used their hidden access to upgrade the proxy, mint ~98M USPD, drain ~232 stETH," the USPD team stated.
Blockchain analyst Emmet Gallic corroborated the DeFi protocol's analysis, adding that a proxy initialization during deployment was the cause of the attack. He surmised, "The attacker claimed admin rights, installed a shadow implementation that spoofed Etherscan into showing the audited contract. The protocol was hacked for months."
USPD Pursues Investigation and Offers Bounty to Attacker
In response to the attack, USPD has announced that it is collaborating closely with law enforcement and whitehat security groups to trace and freeze the stolen funds. "We have flagged the attacker’s addresses with all major CEXs and DEXs to freeze the flow of funds," the team revealed.
The protocol also indicated a willingness to resolve the situation with the attacker by offering a standard 10% bug bounty if the funds are returned. USPD promised to cease all law enforcement actions if the offer was accepted and encouraged the attacker to contact them directly or return 90% of the stolen assets to see the matter resolved.
"We are devastated that despite rigorous audits and adherence to best practices, we fell victim to this emerging and highly complex attack vector. We are doing everything in our power to recover assets," USPD communicated to its community.
According to CoinMarketCap, the stablecoin's peg to the US dollar has remained unaffected thus far. However, its trading volume has decreased by 20% within the last 24 hours, settling around $2.56 million.
Historically, DeFi stablecoin protocol breaches have been more substantial than the current incident involving USPD. For instance, the Euler Finance hack in 2023 resulted in losses exceeding $197 million after stablecoins were drained from its lending pools.
Recent DeFi Exploits Highlight Ongoing Security Challenges
In recent events, Yearn Finance became the latest protocol to suffer an exploit on its liquid-staking index token yETH. The perpetrator managed to mint an effectively unlimited number of tokens, leading to the theft of approximately $3 million in ETH.
Yearn Finance had previously experienced a $9 million exploit in its yETH stableswap pool on November 30. As reported previously, the protocol has already initiated the recovery of stolen funds, successfully reclaiming $2.39 million, which will be returned to affected depositors.
Balancer, another DeFi protocol, which lost $128 million through a v2 breach, announced plans last week to reimburse approximately $8 million to its liquidity providers.