What happened — briefly
The DeFi protocol USPD came under attack from a hacker: the attacker managed to withdraw crypto assets $BTC amounting to approximately $1 million. According to the USPD team, an unknown individual provided a collateral of 3122 $ and, in one transaction, issued 98 million USPD tokens. This exceeds the collateral by 10 times. In addition, the attacker received 237 stETH, and part of the funds was later exchanged for 300,000 USDC through the decentralized exchange Curve.
After discovering the attack, the developers urged users to halt the purchase of USPD tokens and immediately revoke all previously granted permissions.
How the attack was implemented: CPIMP method
According to the USPD team, a complex attack vector was used for the hack—CPIMP (Clandestine Proxy In the Middle of Proxy). The stranger gained control of the proxy server long before the actual attack, then on September 16, launched a chain of commands through a Multicall3 transaction, allowing him to secretly gain administrative rights.
Using CPIMP, the attacker had complete control over the internal scripts of the protocol, allowing him to 'quietly' issue new tokens—bypassing standard checks.
Masking through a shadow contract
To hide manipulations from users, auditors, and blockchain explorers (e.g., Etherscan), the hacker implemented a 'shadow' contract. It redirected calls to a verified contract, creating the illusion of normal operation. Meanwhile, the attacker spoofed events and storage slots, so the protocol appeared legitimate from external scrutiny.
Ultimately, the hacker controlled the smart contract for several months until he activated the issuance of tokens and withdrew funds.
USPD's response and security measures
The USPD team quickly responded to the incident: cybersecurity specialists, cryptocurrency exchanges, and—if necessary—law enforcement agencies were involved in the investigation and tracking of fund movements.
The developers suggested that the hacker return 90% of the stolen assets, agreeing that in this case, he could be considered a 'white hat'—a person who identifies and reports bugs.
Users are advised:
do not acquire USPD tokens;
immediately revoke all permissions for transactions with USPD;
carefully check which protocol they are interacting with;
use only known and trusted DeFi services.
Context: growing losses of crypto projects
According to analysts at PeckShield, in November 2025, losses from hacker attacks on cryptocurrency projects exceeded $194 million—almost 10 times more than in October, when losses amounted to about $18 million. This highlights how crucial it is to adhere to heightened security measures when working with DeFi, smart contracts, and stablecoins.
What users of cryptocurrency exchanges and DeFi platforms should consider
Even projects with a big name and large collateral can be vulnerable—do not rely on reputation.
Always check the permissions you grant to smart contracts; when in doubt—revoke them.
Use decentralized exchanges and platforms with proven security levels.
Watch for official announcements from developers, especially after major operations.
Output
The attack on USPD is another reminder that the DeFi ecosystem remains vulnerable. It is important for users, exchanges and developers to continuously raise security standards and vigilance. Without caution, even relatively large projects can fall victim to hackers.
