USPD Stablecoin Drained for ~$1M in CPIMP ’Ghost’ Proxy Exploit

USPD, a decentralized stablecoin protocol, confirmed a sophisticated CPIMP (Clandestine Proxy in the Middle of Proxy) exploit that drained roughly $1 million. The attacker hijacked proxy admin control during deployment on Sept. 16 via a Multicall3 transaction, initializing a hidden proxy implementation that forwarded calls to the audited contract while spoofing storage slots and events to evade verification tools. The attacker minted about 98 million USPD and liquidated ~232 stETH, removing liquidity and converting assets. Audits by Nethermind and Resonance found no logical code vulnerabilities; the incident exploited a deployment/configuration window rather than core contract logic. USPD published an emergency warning urging users not to buy USPD and to revoke token approvals, flagged two addresses for investigation (infector: 0x7C97313f349608f59A07C23b18Ce523A33219d83; drainer: 0x083379BDAC3E138cb0C7210e0282fbC466A3215A), and is coordinating with law enforcement, exchanges and security firms to trace funds. A whitehat-style recovery offer was announced: return 90% of stolen funds to avoid prosecution. Traders should expect elevated on-chain volatility for USPD and related liquidity pools, watch the flagged addresses and exchange delist or monitoring actions, and avoid buying USPD until a technical post-mortem and recovery status are confirmed.