Skip to main content
Security

UXLINK Multi-Signature Wallet Compromised, $11.3 Million Drained

A critical `delegateCall` vulnerability in a multi-signature wallet enabled unauthorized administrative control and token minting, posing systemic risk.
September 24, 20253 min

A futuristic device with a transparent blue shell and metallic silver accents is displayed on a smooth, gray surface. Its design features two circular cutouts on the top, revealing complex mechanical components, alongside various ports and indicators on its sides
The image displays a complex arrangement of electronic components and abstract blue elements on a dark surface. A central dark grey rectangular module, adorned with silver circuit traces, connects to multiple translucent blue strands that resemble data conduits

Briefing

On September 22, 2025, the UXLINK Web3 social infrastructure project suffered a severe exploit due to a critical delegateCall vulnerability within its multi-signature wallet. This compromise granted attackers full administrative control, leading to the unauthorized minting of billions of UXLINK tokens and a subsequent market capitalization loss of nearly $70 million. The incident resulted in the draining of approximately $11.3 million in various assets, including stablecoins, ETH, and WBTC, directly impacting user and protocol liquidity.

A detailed perspective showcases precision-engineered metallic components intricately connected by a translucent, deep blue structural element, creating a visually striking and functional assembly. The brushed metal surfaces exhibit fine texture, contrasting with the smooth, glossy finish of the blue part, which appears to securely cradle or interlock with the silver elements

Context

Prior to this incident, the prevailing attack surface for many decentralized finance (DeFi) protocols included risks associated with centralized administrative controls and insufficiently audited smart contract logic. The reliance on multi-signature wallets, while intended to enhance security, often introduces complexity that can be exploited if not rigorously secured against common vulnerabilities like delegateCall or improper access management. This incident underscores a known class of vulnerability where administrative privileges, if not adequately protected, become a single point of failure.

The image displays a close-up of a sleek, transparent electronic device, revealing its intricate internal components. A prominent brushed metallic chip, likely a secure element, is visible through the blue-tinted translucent casing, alongside a circular button and glowing blue circuitry

Analysis

The attack leveraged a delegateCall flaw within UXLINK’s multi-signature wallet, allowing the threat actor to execute arbitrary code and seize administrative control of the contract. This technical manipulation enabled the attacker to remove existing administrators and install their own address as the new owner. With elevated privileges, the attacker proceeded to mint an estimated 2 billion UXLINK tokens, which were then rapidly sold across decentralized exchanges for approximately $28.1 million in ETH. The exploit was further exacerbated by lax controls on token minting and the absence of a hard-coded supply cap, demonstrating a critical failure in the protocol’s architectural security.

The intricate design showcases a futuristic device with a central, translucent blue optical component, surrounded by polished metallic surfaces and subtle dark blue accents. A small orange button is visible, hinting at interactive functionality within its complex architecture

Parameters

  • Protocol Targeted ∞ UXLINK
  • Attack Vector ∞ DelegateCall Vulnerability in Multi-signature Wallet
  • Initial Financial Impact ∞ $11.3 Million (estimated, up to $30 million by some reports)
  • Assets DrainedStablecoins, ETH, WBTC, and 490 Million Native UXLINK Tokens
  • Token Minted ∞ Billions of unauthorized UXLINK tokens (initially 2 billion, up to 10 trillion estimated)
  • Market Capitalization Loss ∞ Nearly $70 Million
  • Blockchain(s) AffectedEthereum, Arbitrum
  • Date of Exploit ∞ September 22, 2025
  • Attacker’s Subsequent Loss ∞ $48 Million to Phishing Scam

A sophisticated, silver-grey hardware device with dark trim is presented from an elevated perspective, showcasing its transparent top panel. Within this panel, two prominent, icy blue, crystalline formations are visible, appearing to encase internal components

Outlook

Immediate mitigation for protocols involves a comprehensive review of all multi-signature wallet implementations, specifically auditing for delegateCall vulnerabilities and ensuring robust access control mechanisms. Protocols must implement timelocks for sensitive administrative actions, renounce minting privileges post-launch, and hard-code supply caps to prevent unauthorized token issuance. This incident also highlights the contagion risk for similar projects relying on centralized governance structures, necessitating a shift towards more decentralized governance and the integration of emergency stop functions. For users, heightened vigilance against phishing attempts remains paramount, as evidenced by the attacker’s own subsequent loss.

The UXLINK exploit serves as a critical reminder that even foundational security components like multi-signature wallets require rigorous auditing and decentralized design principles to prevent catastrophic administrative control takeovers and subsequent asset drains.

Signal Acquired from ∞ cointelegraph.com

Micro Crypto News Feeds

delegatecall vulnerability

Definition ∞ A delegatecall vulnerability is a critical security flaw specific to Ethereum smart contracts that utilize the delegatecall opcode.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

administrative control

Definition ∞ Administrative control denotes the authority an individual or entity possesses over a digital system, protocol, or asset.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

multi-signature wallet

Definition ∞ A multi-signature wallet is a type of digital wallet that requires multiple private keys to authorize a transaction.

stablecoins

Definition ∞ Stablecoins are a class of digital assets designed to maintain a stable value relative to a specific asset, typically a fiat currency like the US dollar.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

market capitalization

Definition ∞ Market capitalization is a metric representing the total value of a cryptocurrency or digital asset.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

phishing scam

Definition ∞ A phishing scam is a fraudulent attempt to acquire sensitive information, such as usernames, passwords, or private keys, by impersonating a trustworthy entity.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

Tags:

Tags: