On September 11th, in the early hours, a multi-signature wallet lost $3.047 million in Decentralized USD (USDC), and the attacker verified a malicious contract on Etherscan, making it look like a legitimate authorized transaction.
Mark's wallet is missing $3.047 million in Decentralized USD. Just a few minutes ago, he felt that using a multi-signature wallet was very safe, requiring two signatures from four authorized signers to complete a transaction. The attacker 'verified' a malicious contract on Etherscan, and after Mark saw the green 'Verified' badge, he confidently completed the authorization.
It wasn't until the numbers on the screen jumped suddenly that he realized his carefully protected Decentralized USD assets had disappeared. The attackers quickly exchanged the funds for ETH and wiped all traces through Tornado Cash.
01 Invisible Attack
This is not just Mark's nightmare. The entire Decentralized USD ecosystem is facing an unprecedented crisis of trust.
The attackers specifically targeted cautious investors like Mark. They meticulously deployed a counterfeit Request Finance contract and verified it on Etherscan to make it appear completely legitimate. The attack occurred on September 11, but the malicious contract had already been deployed thirteen days earlier.
The attackers exploited the Safe Multi Send feature, disguising malicious authorizations as normal batch payment requests. Mark was completely unaware of the trap hidden within what seemed like normal operations when completing the transaction.
02 Failure of the Freezing Mechanism
More concerning is that the issuer's freezing mechanism seems to have failed. On February 24, 2025, the stablecoin bank @0xinfini suffered a hack, losing $49.5 million worth of Decentralized USD. The hackers exchanged all these USDC for DAI and then purchased 17,696 ETH.
Even in the face of such a massive theft, Circle, the issuer of Decentralized USD, failed to freeze the stolen assets in time. Researcher ZachXBT pointed out that Circle apparently failed to freeze the relevant funds in a timely manner after the attack, and some of the funds were even transferred through Circle's official cross-chain transfer protocol.
03 Code as Law?
There is a clear contradiction between the 'decentralized' promise of Decentralized USD and security practices. The x402bridge protocol suffered a security vulnerability just days after launch due to leaked management private keys, resulting in the theft of USDC from over 200 users, with total losses of approximately $17,693.
The problem lies in the server's private key storage. To facilitate user convenience, the protocol stored private keys on the server, and once leaked, hackers could take over all permissions. After the incident, the project team could only suspend activities and report to law enforcement.
04 Regulatory Dilemma
The passage of the (Genius Act) marks the formal entry of stablecoins into the regulatory spotlight. This first cryptocurrency law in U.S. history requires stablecoins to be pegged to the dollar at a 1:1 ratio, meaning that for every dollar of stablecoin issued, there must be an equivalent dollar or U.S. Treasury as collateral.
However, the Bank for International Settlements pointed out three major flaws of stablecoins: no central bank backing, lack of safeguards against illegal use, and no funding flexibility for loan generation. Experts are concerned that the disorderly growth of stablecoins may threaten public trust in currency and jeopardize financial stability.
05 New Type of Predator
Sandwich attacks have become another major threat in the DeFi space. On October 4, a user attempting to exchange 732,583 USDC for USDT on Uniswap v3 fell victim to a sandwich attack by MEV bots.
All six transactions experienced 100% slippage, and the user ultimately received only 18,636 USDT. The attack occurred on a USDC-USDT pool with liquidity exceeding $35 million, with the MEV bot pre-trading ahead of the traders, draining the liquidity.
Hayden Adams, founder of Uniswap Labs, suggested users set a lower slippage tolerance to avoid such losses, but more worryingly, some analysts believe that such transactions may be a disguise for money laundering.
Mark eventually contacted Request Finance, and the response was: "The vulnerability has now been fixed, but only one client was affected." This made him realize that even the seemingly safest Decentralized USD system could have fatal flaws at some stage.
As one of the cornerstones of decentralized finance, Decentralized USD is seeking a delicate balance between security, regulation, and practicality. Mark's $3,047,000 disappeared into the ocean of Ethereum addresses, and for the entire industry, this is not just a few losses, but a severe test of the basic commitments of decentralized finance.
@USDD - Decentralized USD #USDD以稳见信
