How the CPIMP exploit worked
According to USPD, the attacker front-ran the proxy deployment on September 16, installing a shadow proxy that forwarded calls to the audited contract. Because its behavior matched the verified version, neither auditors nor monitoring tools detected anything suspicious.
The exploit went unnoticed for months, during which the attacker gradually minted 98 million USPD and withdrew 232–237 stETH, which immediately drained liquidity and shook user confidence.
Compensation through claim tokens
USPD will compensate affected users using claim tokens. Each user will receive them at a 1:1 ratio, based on balances recorded just before the exploit.
The team also launched a dedicated recovery pool funded only by protocol revenue, not the community treasury. Funds from the treasury will be used only after compensation is completed. A private Telegram channel will also be opened for affected users to receive updates and provide feedback during the V2 rollout.
What changes in USPD V2?
USPD says its V1 “auto-yield” mechanism caused friction across DeFi platforms that depend on explicit balance updates. Apps like Aave and Uniswap malfunction when balances change without transfer events.
Instead of a wrapped token solution, USPD V2 will integrate compatibility directly into the core token model. Planned upgrades include:
-
a unified token design,
-
integrated yield tiers,
-
a simplified architecture,
-
resolved contract-size and dependency issues.
Privacy will also be included by default, with Railgun integration under evaluation.
The team stated that stabilizers will move hedge operations to on-chain perpetual markets, reducing dependence on centralized exchanges and providing more transparency.