Skip to main content
Security

UXLINK Multi-Signature Wallet Compromised via DelegateCall Vulnerability

A critical `delegateCall` vulnerability in UXLINK's multi-signature wallet enabled unauthorized administrative control and asset drainage, exposing systemic access control failures.
September 25, 20253 min

A futuristic device with a transparent blue shell and metallic silver accents is displayed on a smooth, gray surface. Its design features two circular cutouts on the top, revealing complex mechanical components, alongside various ports and indicators on its sides
A luminous, multifaceted blue crystal structure, shaped like an 'X' or a cross, is depicted with polished metallic components at its intersections. The object appears to be a stylized control mechanism, possibly a valve, set against a blurred background of blues and greys, with frosty textures on the lower left

Briefing

On September 22, 2025, the UXLINK Web3 social infrastructure project suffered a significant security incident involving its multi-signature wallet. Attackers exploited a delegateCall vulnerability, gaining unauthorized administrative control and subsequently draining approximately $11.3 million in various assets, including stablecoins and wrapped Bitcoin. The breach also led to the unauthorized minting of 2 billion UXLINK tokens, causing a 70% token price collapse and erasing $70 million in market capitalization. This event underscores the critical risks associated with smart contract design flaws and inadequate access controls within decentralized protocols.

The artwork displays a central white sphere surrounded by a dynamic interplay of white rings and segmented, deep blue elements, all interwoven with fine, transparent lines. This abstract composition evokes the multifaceted nature of decentralized finance DeFi and the underlying blockchain architecture

Context

Prior to this incident, the prevailing attack surface in DeFi often included vulnerabilities in cross-chain bridges, oracle manipulation, and reentrancy exploits. While multi-signature wallets are generally considered a robust security measure, this exploit highlights a persistent class of vulnerability related to their implementation ∞ specifically, weak access controls and governance within the underlying smart contract logic. The absence of fundamental safeguards, such as a hardcoded supply cap or emergency stop mechanisms, exacerbated the impact of the compromise.

A close-up view presents a sophisticated metallic device, predominantly silver and blue, revealing intricate internal gears and components, some featuring striking red details, all situated on a deep blue backdrop. A central, brushed metal plate with a bright blue circular ring is partially lifted, exposing the complex mechanical workings beneath

Analysis

The incident’s technical mechanics centered on a delegateCall vulnerability within UXLINK’s multi-signature wallet smart contract. This critical flaw allowed the attacker to bypass existing security protocols, effectively removing legitimate administrators and installing their own address as the wallet’s owner. With elevated privileges, the threat actor initiated immediate asset drainage, transferring $4.5 million in stablecoins and 3.7 WBTC.

Concurrently, the attacker leveraged the compromised administrative control to mint 2 billion UXLINK tokens without authorization, demonstrating a severe lack of supply cap enforcement and weak access control mechanisms in the smart contract design. The success of this attack was rooted in the ability to manipulate the contract’s administrative functions, highlighting a fundamental design flaw rather than a simple code bug.

The image displays a gleaming, multi-element lens system, possibly representing a secure access point, aligned with a vibrant, spherical structure composed of intricate, interlocking blue and black digital blocks. This sphere evokes the complex architecture of a blockchain network, where each block contains hashed transaction data

Parameters

  • Protocol Targeted ∞ UXLINK
  • Attack Vector ∞ DelegateCall Vulnerability (Multi-signature Wallet Compromise)
  • Initial Financial Impact ∞ $11.3 Million
  • Assets Drained ∞ $4.5M Stablecoins, 3.7 WBTC, ETH, USDC
  • Unauthorized Token Minting ∞ 2 Billion UXLINK Tokens
  • Market Cap Loss ∞ $70 Million
  • Attacker’s Subsequent Loss ∞ $48 Million to Phishing Scam
  • Date of Exploit ∞ September 22, 2025

A close-up view reveals a sleek, translucent device featuring a prominent metallic button and a subtle blue internal glow. The material appears to be a frosted polymer, with smooth, ergonomic contours

Outlook

Immediate mitigation steps for users include exercising extreme caution with UXLINK tokens and monitoring official announcements regarding the emergency token swap. This incident will likely establish new security best practices emphasizing rigorous, multi-layered audits of multi-signature wallet implementations, particularly focusing on delegateCall usage and access control logic. Protocols must implement robust supply caps, timelocks, and emergency stop mechanisms as standard. The event also underscores the contagion risk for similar protocols with centralized administrative functions or poorly audited multi-signature wallet designs, necessitating a proactive review of their security posture.

The UXLINK delegateCall exploit serves as a stark reminder that even seemingly secure multi-signature architectures remain vulnerable to fundamental smart contract design flaws, demanding continuous, rigorous security validation across the digital asset landscape.

Signal Acquired from ∞ ainvest.com

Micro Crypto News Feeds

delegatecall vulnerability

Definition ∞ A delegatecall vulnerability is a critical security flaw specific to Ethereum smart contracts that utilize the delegatecall opcode.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

multi-signature wallet

Definition ∞ A multi-signature wallet is a type of digital wallet that requires multiple private keys to authorize a transaction.

administrative control

Definition ∞ Administrative control denotes the authority an individual or entity possesses over a digital system, protocol, or asset.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

stablecoins

Definition ∞ Stablecoins are a class of digital assets designed to maintain a stable value relative to a specific asset, typically a fiat currency like the US dollar.

token minting

Definition ∞ Token minting is the process by which new digital tokens are created and introduced into circulation on a blockchain.

phishing scam

Definition ∞ A phishing scam is a fraudulent attempt to acquire sensitive information, such as usernames, passwords, or private keys, by impersonating a trustworthy entity.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

access control

Definition ∞ Access control dictates who or what can view or use resources within a digital system.

Tags:

Tags: