Imagine launching what you believe is a bullet-proof stablecoin protocol. You paid top-tier auditors, ran countless tests, and even got that green “verified” badge on block explorers love to see. Then, three months later, someone quietly prints almost a hundred million of your tokens and walks away with a million dollars. No flash-loan wizardry, no reentrancy trick, just a patient ghost who was already inside the house.
That’s exactly what happened to USPD this week, and honestly, it’s one of the cleanest, scariest attacks I’ve seen in a while.
A Million Dollars Vanished Because of a Deployment Race
On December 5, the USPD team dropped a bombshell on Twitter: their protocol had been exploited. Roughly 98 million USPD tokens were minted out of thin air and used to pull 232 stETH (about $1M) from liquidity pools. The team immediately begged users not to buy the token and to revoke approvals.
But here’s the part that made my jaw drop: the attacker didn’t break the audited code. They never needed to. They simply won a race nobody knew was happening on September 16, the day the contracts were deployed.
What on Earth Is a “CPIMP” Attack?
The USPD team called it a CPIMP attack, short for Contract Proxy Initialization Manipulation via Multicall something that sounds made-up until you realize it’s terrifyingly real.
Most modern DeFi protocols use the proxy pattern: one immutable logic contract (the real code) and one lightweight proxy that forwards calls to it. This lets teams upgrade their protocol without changing addresses. The catch? Someone has to call initialize() after deployment and set the correct implementation address. If you’re half a second too slow, a bot can front-run that transaction and set themselves as the proxy admin.
That’s precisely what happened. The attacker watched the mempool, saw the deployment transaction, and slipped in a Multicall3 transaction right before the legitimate initialization. In a single atomic bundle they:
- Became the proxy admin
- Set a malicious implementation contract they controlled
- Immediately pointed that malicious implementation to forward every call to the real, audited contract
Result? From day one, the proxy was under attacker control, but every read function (balanceOf, totalSupply, even the implementation() getter) returned the legitimate values. Even block explorers showed the good contract because the attacker spoofed storage slots and events. Pure camouflage.
Three Months of Perfect Silence
For 90 days the attacker did absolutely nothing. No suspicious transfers, no testing, nothing. They just waited until liquidity was deep enough to make the drain worthwhile.
Then, in one transaction, they upgraded the proxy to a new malicious implementation that added an unrestricted mint function, minted 98 million USPD, swapped it all of it for stETH, and vanished.
“The audited logic was never the problem. The failure happened in the 0.3-second window between proxy deployment and initialization.”
— USPD core contributor
That quote should be printed and framed in every DeFi team’s office.
Why Audits Didn’t Catch This
Auditors check the code you give them. Most audit scopes explicitly exclude “deployment scripts” and “initialization procedures.” Teams often treat deployment as an ops problem, not a security problem. Huge mistake.
In my experience, I’ve seen projects spend $150k on audits yet deploy from a single EOA with no multisig and no timelock. It’s like installing a bank vault door on a cardboard building.
The Damage Report
- 98,000,000 USPD minted unauthorized
- 232 stETH removed (~$1,000,000 at time of writing)
- Token price collapsed from ~$1 to pennies
- All major bridges and DEXs have frozen USPD trading pairs
The team has opened a whitehat negotiation channel: return 90% of funds and keep 10% as a bounty. Standard practice these days, and honestly the only realistic path to partial recovery.
December Is Becoming the Cruelest Month
USPD isn’t alone. December 2025 is shaping up to be brutal:
- Upbit confirmed $30M stolen (suspected Lazarus Group)
- Yearn Finance legacy yETH contract exploited for $9M via infinite mint
- Multiple smaller protocols hit by flash-loan governance attacks
Total losses this month already north of $100M and we’re only five days in.
How Projects Can Actually Prevent This
Good news: the fix isn’t even that complicated. Here are the defenses gaining traction right now:
- Use a factory pattern that deploys proxy + implementation + initialization in one atomic transaction (OpenZeppelin’s new ProxyFactory does this)
- Deploy via a 6-of-10 multisig with 24-hour timelock
- Use UUPS proxies where upgradeability is controlled by the implementation itself (makes proxy admin irrelevant)
- Run a private mempool or use services like Blocknative Protect during deployment
- Add a “deployment guardian” contract that only allows initialization from a pre-approved address
Any one of these would have stopped the USPD attack cold.
The Bigger Picture for Stablecoins
Stablecoins are supposed to be the “safe” part of DeFi. When a decentralized dollar can lose peg because someone sneezed during deployment, it shakes confidence across the entire ecosystem.
I’ve been saying this for years, but maybe this is the incident that finally forces teams to treat deployment with the same paranoia they treat tokenomics.
Because right now, the attackers aren’t getting smarter, they’re just getting more patient. And patience, unlike code bugs, doesn’t get patched.
Stay safe out there. Revoke those approvals if you ever interacted with USPD, and maybe give your favorite protocol’s deployment scripts a second look. You never know who might have been sitting quietly in the proxy admin seat for the last three months.
