Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / CryptotimesIO /
USPD Exploiter’s 78-Day Silence After Proxy Takeover Raises Alarms

USPD Exploiter’s 78-Day Silence After Proxy Takeover Raises Alarms

Author:
CryptotimesIO
Published:
2025-12-10 13:14:01
6
1

The crypto underworld holds its breath as a major exploit goes quiet.

For over two months, the entity behind the USPD attack has operated in eerie silence. No boasts, no demands, no movement—just the chilling aftermath of a successful proxy takeover. The 78-day radio silence isn't a sign of retreat; it's a strategic pause that has the entire DeFi community on edge.

The Ghost in the Machine

Proxy takeovers represent one of the most sophisticated attack vectors in DeFi. By hijacking a protocol's administrative controls, attackers don't just steal assets—they become the protocol. This isn't a smash-and-grab; it's a quiet occupation. The exploiter doesn't need to make noise when they already control the levers.

The Waiting Game

Seventy-eight days of silence speaks volumes in an ecosystem built on transparency. While some might interpret this as the attacker lying low, seasoned analysts see it differently. This isn't hiding—it's waiting. Waiting for attention to shift, for security to relax, for the perfect market conditions to cash out without crashing the very assets they stole. It's the ultimate test of patience in an impatient industry.

The Unanswered Questions

What happens during those silent weeks? Forensic analysis suggests multiple possibilities: laundering infrastructure being established, cross-chain bridges being tested, or perhaps even negotiation channels being opened through backdoor communications. The absence of movement on-chain doesn't mean absence of activity—it means the activity has moved to places blockchain analysts can't see.

A Systemic Wake-Up Call

This incident exposes the fundamental tension in decentralized governance: the proxies designed to make protocols upgradeable also make them vulnerable. Every administrative key represents a potential single point of failure. The industry's rush to innovate has outpaced its ability to secure the very mechanisms that enable that innovation.

As the crypto markets continue their volatile dance—because what's finance without a little unnecessary drama?—this silent standoff serves as a stark reminder. The most dangerous threats aren't the loud ones making headlines; they're the quiet ones who've already won and are just waiting for everyone else to realize it.

24-second window leads to 78-day breach

As per Rekt’s analysis, the exploit hinged on USPD deploying its proxy and initializing it in separate transactions. Within 24 seconds of proxy deployment, the attacker front-ran the pending initialization, seizing admin privileges and embedding a “shadow” implementation.

The protocol functioned flawlessly for 78 days. Audits from Nethermind and Resonance confirmed the code was sound, but auditors never saw the malicious proxy injected during deployment. On December 4, the attacker struck: upgrading the proxy to malicious logic, minting 98 million USPD, draining 232 stETH, and converting roughly $300,000 into USDC.

Remaining funds, about $1 million, continue to sit in the attacker’s wallet, untouched.

The CPIMP vulnerability strikes again

The attack used CPIMP (Clandestine Proxy in the Middle of Proxy), a vulnerability security team patched across dozens of protocols during a July emergency effort. Firms like Dedaub, Venn Security, and SEAL 911 coordinated a 36-hour sweep that saved more than $10 million in assets.

According to Rekt’s breakdown, however, USPD has never applied the recommended safeguards. While the audits certifying its logic were valid, the lack of atomic deployment left the front door open. Researchers argue the breach was preventable, as the same attack vector had compromised Kinto earlier this year.

7/ To the Attacker:
We are willing to view this as a whitehat rescue.

If you return the funds (minus a standard 10% bug bounty), we will cease all law enforcement actions and consider this matter resolved.

Contact us immediately on any channel you wish, or simply return 90% of…

— USPD.IO | The Dollar of the Decentralized Nation (@USPD_io) December 4, 2025

USPD offered a 10% bounty for fund recovery, but December 8 activity shows some stolen ETH already routed through Tornado Cash.

Protocol’s bounce back

USPD plans to launch a rebuilt V2 in Q2 2026, introduce recovery pools funded by protocol revenue, and issue claim tokens to affected users. The team has also opened a private channel for the 230 impacted addresses.

Despite the exploit, the USPD stablecoin has maintained its dollar peg, though liquidity is down significantly. The protocol insists that no flaws existed in its smart contract logic, only in the handling of deployment.

The incident is poised to become a case study in DeFi risk management: audits alone are not enough, deployment must be secured, and known vulnerabilities cannot be ignored.

Also read: Hacker Exploits Binance Co-CEO’s WeChat to Pump Mubarakah Token

    

Google News

mobile only image

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved

All articles reposted on this platform are sourced from public networks and are intended solely for the purpose of disseminating industry information. They do not represent any official stance of BTCC. All intellectual property rights belong to their original authors. If you believe any content infringes upon your rights or is suspected of copyright violation, please contact us at [email protected]. We will address the matter promptly and in accordance with applicable laws.BTCC makes no explicit or implied warranties regarding the accuracy, timeliness, or completeness of the republished information and assumes no direct or indirect liability for any consequences arising from reliance on such content. All materials are provided for industry research reference only and shall not be construed as investment, legal, or business advice. BTCC bears no legal responsibility for any actions taken based on the content provided herein.