Arincen - USPD announced that it has suffered a serious breach after discovering that an attacker had controlled the proxy contract for the protocol for several months without drawing attention, allowing them to mint millions of digital tokens and withdraw assets valued at over a million dollars before the attack was revealed.
The platform stated in a statement on December 5 that the attacker minted about 98 million USPD and withdrew 232 stETH valued at around 1 million dollars. It warned users against purchasing the token during the current period, urging them to revoke any approvals related to it until the investigations are completed.
The team confirmed that the underlying smart contracts were not the source of the flaw, noting that they had been audited by companies such as Nethermind and Resonance, and that the breach came through a precise attack known as CPIMP targeting the proxy contract deployment window. According to the investigations, the attacker executed a front-running operation during the initialization phase on September 16 using a Multicall3 transaction, seizing the administrator privileges before the deployment process was completed, to plant a hidden malicious version of the proxy application.
To conceal his presence, the attacker manipulated event data and storage slots, which caused blockchain browsers to display the legitimate execution instead of the malicious version. This allowed him full control over the protocol for three months, before he executed the malicious upgrade and performed the minting process that drained the funds.
