A hacker devastated the DeFi protocol USPD by $1 million

A recent incident in the world of decentralized finance (DeFi) has drawn attention to vulnerabilities that can be exploited by attackers. A hacker exploited a vulnerability in the US Permissionless Dollar (USPD) protocol and withdrew over $1 million in liquidity.

How did the hack occur?

According to a report from the USPD team on social media, an unknown attacker deposited 3,122 ETH and minted 98 million USPD tokens in a single transaction. As a result, the amount of tokens created was ten times the initial deposit, and the hacker received an additional 237 stETH. The stolen crypto assets were exchanged for 300,000 USDC stablecoins through the decentralized exchange Curve.

After discovering the critical vulnerability in the protocol, USPD developers urged customers not to purchase USPD stablecoins and to immediately revoke all permissions.

CPIMP Attack Vector

The protocol team clarified that a sophisticated attack vector called CPIMP (Clandestine Proxy In the Middle of Proxy) was used for the hack. The attacker gained control of the proxy server several months ago. On September 16, they initiated the initialization process using the Multicall3 transaction. Using CPIMP, the hacker was able to stealthily gain administrative privileges and gain full control over the protocol scripts, enabling them to launch unauthorized token issuance.

Shadow Contract

To hide the malicious configuration from users, auditors, and even the Ethereum blockchain explorer Etherscan, the attacker implemented a shadow contract that redirected calls to the contract being verified. Using this camouflage, they manipulated event data and spoofed storage slots to trick block explorers into reporting the execution of a secure contract. This allowed the hacker to fully control the smart contract for several months until they updated the proxy server and issued tokens to deplete the protocol.

USPD Team Response

The USPD team stated that it has engaged law enforcement, security specialists, and major exchanges to investigate the incident to track the movement of funds. USPD developers offered the attacker a 90% refund as a reward for their cooperation, underscoring the seriousness of the situation and their commitment to recovering the lost funds.

In Conclusion

This incident serves as a reminder that even in the world of decentralized finance, where security and transparency are core principles, vulnerabilities exist that can be exploited by attackers. Development teams must continue to work to improve the security of their protocols to prevent similar attacks in the future.