uspd

According to CertiK Alert monitoring, the USPD contract suffered an attack resulting in a loss of approximately $1 million. The attacker executed the attack by manipulating stored data, and the entire attack process lasted for 2 months. Analysis indicates that the attack was divided into two phases: the attacker executed a legitimate initialization transaction in advance, adding a malicious intermediary to the USPD stabilizer; the attacker granted privileged roles to their contract through the malicious intermediary and exploited that privilege to carry out the attack 78 days later.

USPD protocol officially issued an emergency security alert, confirming that its protocol has encountered a serious security vulnerability attack, leading to unauthorized token minting and liquidity depletion.The attacker exploited an advanced attack technique called "CPIMP," executing proxy initialization ahead of time during the deployment process to gain hidden administrator privileges. By installing a "shadow" to implement and manipulate event data, the attacker successfully evaded verification tools, including Etherscan, and hid for months before using the privileges to mint approximately 98 million USPD and steal about 232 stETH. The USPD team has collaborated with law enforcement and security organizations to tag the attacker's address to freeze funds, while also expressing a willingness to treat the incident as a white hat rescue, stating that if 90% of the funds are returned, they will cease law enforcement actions.