USPD stablecoin protocol falls prey to an advanced CPIMP attack costing 1M. During deployment, Hacker took control and went underground, taking months before emptying the coffers.
A critical exploit was confirmed by the USPD protocol. The attacker minted 98 million USPD tokens. About 232 stETH was liquidated out of liquidity pools.
As per the USPD on X, users need to stop purchasing the USPD. The group put out a security emergency warning 20 hours ago. Every approval is to be canceled immediately.
Source: USPD on X
Hidden Attack Went Unnoticed Since September
It was not a code vulnerability breach. USPD was audited by Nethermind and Resonance regarding security. The logic of smart contracts was not compromised in the incident.
Rather, attackers used a CPIMP attack vector. This abbreviates Clandestine Proxy in the Middle of Proxy. The adventure took place on deployment on the 16th of September.
The Multicall3 transaction was used to initialize the proxy with the aid of the hacker. Before deployment scripts would complete, admin privileges were stolen. A shadow implementation sent calls to the valid audited code.
Etherscan Verification Tools Fooled Completely
The presence of the attacker was hidden by the manipulation of the event payload. Storage slot spoofing played around the Etherscan verification system. The site portrayed audited contracts as ongoing implementations.
This camouflage avoided every verification tool as tweeted by USPD_io on X. Security checks performed manually did not reveal any suspicious items. The hacker was lurking in full view for months.
Proxy upgrades were available yesterday by accessing a proxy via a hidden means. Unlicensed coins struck the world with tokens. Minting operations are followed by the draining of liquidity.
You might also like: Crypto Hack News: North Korean Hackers Exploit EtherHiding for Crypto Thefts
Law Enforcement and CEXs Now Tracking Stolen Funds
USPD representatives marked out the addresses of attackers with significant exchanges. Notifications were made on both centralized and decentralized platforms. Now, fund flow monitoring is operational on platforms.
There are two addresses under investigation. Infector wallet = 0x7C97313f349608f59A07C23b18Ce523A33219d83. Drainer address = 0x083379BDAC3E138cb0C7210e0282fbC466A3215A.
The team provided a whitehat resolution path. Attackers can refund 90 percent of stolen funds. When funds are recovered, law enforcement will be halted.
The USPD officials have assured a technical post-mortem shortly. Transparency in the community is still a priority. The recovery process goes on with major security organizations.
The protocol showed how new attack vectors are putting security to the test. This advanced attack was not thwarted by even the stringent audits. An industry-wide implication is now being looked at.