defirisk.co
rubric v1.7.0

USPD: CPIMP (Clandestine Proxy In the Middle of Proxy) — front-run proxy initialization, shadow admin installation, 78-day dormancy, then mint + drain

USPD's proxy was front-run in a 24-second initialization window on deployment day, installing a hidden middleman that forwarded all real function calls while sitting dormant for 78 days before minting $1M in unbacked tokens.

Occurred 2025-12-04 Loss $1M Status closed

Summary #

USPD suffered a Yield / Structured Products (stablecoin) on 2025-12-04, resulting in a loss of approximately $1M.

What happened #

USPD's proxy was front-run in a 24-second initialization window on deployment day, installing a hidden middleman that forwarded all real function calls while sitting dormant for 78 days before minting $1M in unbacked tokens.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — the CPIMP attack targeted the deployment procedure, not the audited contract logic; audited implementation was the decoy] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — the CPIMP attack targeted the deployment procedure, not the audited contract logic; audited implementation was the decoy]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — proxy deployment (the deployment event itself was the vulnerability)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — proxy deployment (the deployment event itself was the vulnerability)]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: 10% offered post-hack; no pre-hack bounty publicized]
  • RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — proxy upgrade on Dec 4 was the trigger (admin-controlled, but by attacker)]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Two-step proxy deployment visible in mempool Sept 16 (gap between deploy + initialize); privileged role grant to secondary contract Sept 17;...]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — proxy upgrade on Dec 4 was the trigger (admin-controlled, but by attacker)]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Yes — proxy deployment (the deployment event itself was the vulnerability)]