USDP, a decentralised stablecoin protocol launched in September 2025, has been halted after a critical exploit on 4 December allowed an attacker to mint 98 million USDP and drain around $1 million in liquidity, including roughly 230+ stETH from pools.
According to the team’s alert, the USDP Exploit hinged on a CPIMP-style proxy attack. The exploiter front-ran the project’s Multicall3 deployment, seized admin rights over the upgradeable proxy, and installed a shadow implementation that quietly forwarded calls to the audited logic while emitting forged events. In practice, everything looked normal in block explorers and dashboards for months, even as the backdoor remained in place.
When they finally struck, the attacker deposited ETH, abused the hidden implementation to over-mint USDP, then dumped into stETH and other assets before routing part of the proceeds into USDC via Curve, for total takings just over $1 million. The team (previously audited by Nethermind and Resonance) has blacklisted the main attacker wallets with exchanges, offered a 10% bounty for return of funds and is coordinating with law enforcement. So far, there is no sign of recovery.
The guidance is blunt: do not buy USDP, revoke token approvals to the protocol contracts, and wait for a full post-mortem before assuming any fork or relaunch is safe. The USDP Exploit is a reminder that proxy initialisation races and “invisible” implementations sit outside the comfort zone of most auditors, and that onchain green ticks do not prove a system is secure.
Disclaimer
This article is for information only and does not constitute investment, legal or tax advice. Cryptoassets are high risk; do your own research.
