See line 199 (for 1.0.2.Final):

// reset the cause, so we can de-serialize them individual
SecurityActions.setFieldValue(Throwable.class, original, "cause", causeProxy.createException());

For the root cause of an exception, causeProxy will always be null and so a NullPointerException is thrown.

As the code is wrapped in a try block with follwoing catch block:

catch (Throwable e) // ClassNotFoundExcpetion / NoClassDefFoundError
{
    // ignore, could not load class on client side, move on and create a fake 'proxy' later
    deserializationProblem = true;
}

the NPE is caught and is "expected" to be a ClassNotFoundExcpetion or NoClassDefFoundError which is clearly not the case.

Possible fix:
original.cause should only be overwritten when causeProxy is not null.

More context information:
I came across this problem while trying to find the reason for an unexpected ArquillianProxyException:

org.jboss.arquillian.test.spi.ArquillianProxyException: javax.ejb.EJBException : javax.persistence.OptimisticLockException [Proxied because : Original exception not deserilizable, ClassNotFoundException]

The root problem was not the NPE, but the ClassNotFoundException mislead me and so I debugged ExceptionProxy.
I my case there is an InvalidClassException because of an older hibernate version on the client side.
So that is another problem of ExceptionProxy as it assumes that only ClassNotFoundExcpetion or NoClassDefFoundError can occur!