USPD Protocol Security Breach
The USPD protocol has recently announced a significant security breach that has resulted in unauthorized minting and the draining of substantial funds. In a statement released on December 5, USPD reported that an intruder had taken control of its proxy contract several months prior, allowing them to create approximately 98 million USPD tokens and withdraw around 232 stETH tokens, equating to nearly $1 million in losses. In light of the situation, USPD has advised its users to refrain from purchasing the token and to revoke any approvals immediately.
Details of the Attack
The protocol asserted that the underlying code and smart contracts, which had undergone audits by respected firms such as Nethermind and Resonance, were not to blame for the breach. Instead, they identified the attack as a “CPIMP” (Contract Proxy Initialization Manipulation Protocol) exploit, which specifically targets the deployment window of proxy contracts. On September 16, the attacker had positioned themselves ahead of the initialization by executing a Multicall3 transaction, seizing administrative access before the deployment script concluded and inserting a concealed proxy version into the system.
To obscure their malicious actions from users and auditors, the attacker implemented a shadow contract that redirected calls to the legitimate audited contract. This deception was bolstered by the manipulation of event data and storage slots, which enabled block explorers to display only the genuine proxy implementation, effectively allowing the assailant to maintain control for several months until they executed the minting action that drained the protocol’s resources.
Response and Recovery Efforts
In response to the attack, USPD is collaborating with law enforcement agencies, security experts, and leading cryptocurrency exchanges to track the stolen assets and prevent further illicit movements. The team has also proposed a standard bug bounty to the attacker, offering to consider the return of 90% of the stolen assets as a whitehat recovery initiative.
Impact on the DeFi Sector
This incident occurs during a troubling period for the decentralized finance (DeFi) sector, where exploit-related losses have already surpassed $100 million in December alone. Notably, South Korean exchange Upbit reported a $30 million breach attributed to the notorious Lazarus Group earlier this week. Investigators have revealed that attackers impersonated internal administrators to gain access, contributing to a staggering total of over $1 billion stolen this year through Lazarus-associated operations.
Furthermore, Yearn Finance was recently targeted, leading to a similar exploit involving its legacy yETH token contract, where attackers utilized a vulnerability to mint trillions of tokens in one transaction, draining approximately $9 million in assets.
Need for Improved Security Measures
The increasing sophistication of DeFi attacks, particularly those aimed at proxy contracts, administrative keys, and outdated systems, underscores the urgent need for improved security measures. In response, security teams are witnessing a growing interest in decentralized multi-party computation tools and enhanced deployment frameworks to mitigate the risk of such single-point failures in the future.
