Skip to main content
Security

UXLINK Multi-Signature Wallet Exploited, Billions of Tokens Minted

A `delegateCall` vulnerability in a multi-signature wallet allowed administrative control takeover and unauthorized token minting, posing a critical risk of asset inflation and value erosion.
September 25, 20253 min

A detailed abstract render showcases glossy white spheres, acting as interconnected nodes, linked by silver metallic rods. The core of this structure is filled with an abundance of sparkling, multifaceted blue crystalline shapes, resembling digital assets
A futuristic metallic apparatus, resembling a high-performance blockchain node, is enveloped by a dense, light-blue particulate cloud. Transparent conduits connect segments of the device, hinting at internal mechanisms and data flow

Briefing

On September 22, 2025, the UXLINK Web3 social infrastructure project suffered a significant security incident due to a delegateCall vulnerability within its multi-signature wallet. This exploit granted attackers unauthorized administrative control, enabling them to mint billions of UXLINK tokens and drain approximately $11.3 million in various cryptocurrencies, including stablecoins and Wrapped Bitcoin. The immediate consequence was a drastic 70% collapse in the UXLINK token’s market price, wiping out $70 million in market capitalization within hours. Compounding the incident, the attacker subsequently lost $48 million of the stolen UXLINK tokens to a phishing scam, highlighting the inherent risks even for malicious actors within the DeFi ecosystem.

A sleek, rectangular device, crafted from polished silver-toned metal and dark accents, features a transparent upper surface revealing an intricate internal mechanism glowing with electric blue light. Visible gears and precise components suggest advanced engineering within this high-tech enclosure

Context

Prior to this incident, the digital asset landscape, particularly within DeFi, has consistently faced persistent vulnerabilities in access control and smart contract design. While cryptographic and bridge security saw improvements in 2024, the UXLINK exploit underscores that fundamental flaws, such as inadequate supply caps and weak administrative controls in seemingly secure multi-signature wallet implementations, remain a critical attack surface. The prevailing risk factors included a lack of robust audit scrutiny on multi-signature setups and the absence of safeguards like timelocks or emergency stop mechanisms.

The image displays a close-up of a sleek, transparent electronic device, revealing its intricate internal components. A prominent brushed metallic chip, likely a secure element, is visible through the blue-tinted translucent casing, alongside a circular button and glowing blue circuitry

Analysis

The UXLINK incident’s technical mechanics centered on a delegateCall vulnerability within the project’s multi-signature wallet. This specific flaw allowed the attacker to execute arbitrary code, effectively removing existing administrators and installing their own address as the wallet’s owner. With this elevated administrative control, the attacker was able to mint an unauthorized 2 billion UXLINK tokens, leading to severe token inflation and subsequent price collapse. The success of this attack was directly attributable to critical design flaws in UXLINK’s smart contract, including the absence of a hardcoded supply cap and insufficient access controls, which failed to prevent the unauthorized minting and asset drainage.

The visual depicts a stylized, metallic structure with intricate geometric patterns, resembling a sophisticated processing unit or network node. A dynamic stream of translucent blue liquid pours into its central aperture, representing the flow of digital assets or cryptocurrency

Parameters

  • Protocol Targeted ∞ UXLINK
  • Attack Vector ∞ DelegateCall Vulnerability in Multi-Signature Wallet
  • Initial Financial Impact ∞ $11.3 Million (stolen assets)
  • Token Price Drop ∞ 70% (from $0.30 to $0.09)
  • Market Cap Erased ∞ $70 Million
  • Unauthorized Tokens Minted ∞ Billions (initially 2 billion, later estimated up to 10 trillion)
  • Attacker’s Subsequent Loss ∞ $48 Million (to phishing scam)
  • Affected Asset ∞ UXLINK token, stablecoins, WBTC, ETH, USDC
  • Blockchain Affected ∞ Ethereum (new contract deployment)

A luminous, translucent blue-grey amorphous structure elegantly envelops a vibrant, solid blue sphere, set against a subtle gradient background. The flowing, organic forms create a sense of depth and protection around the central element

Outlook

In the immediate aftermath, UXLINK has initiated an emergency token swap and is deploying a new Ethereum contract that removes the mint-burn function to prevent future incidents. For users, exercising extreme caution with UXLINK tokens and participating in the official token swap is paramount. This incident will likely establish new security best practices, emphasizing the critical need for comprehensive audits of multi-signature wallet implementations, the integration of timelocks for sensitive operations, and hardcoded supply caps within smart contracts. The contagion risk extends to other DeFi protocols that might rely on similar multi-signature wallet designs or lack robust access control mechanisms, underscoring the necessity for systemic security posture re-evaluation across the ecosystem.

The UXLINK exploit serves as a stark reminder that even foundational security components like multi-signature wallets require rigorous auditing and architectural safeguards to prevent catastrophic administrative control compromises and subsequent asset dilution.

Signal Acquired from ∞ ainvest.com

Micro Crypto News Feeds

delegatecall vulnerability

Definition ∞ A delegatecall vulnerability is a critical security flaw specific to Ethereum smart contracts that utilize the delegatecall opcode.

multi-signature wallet

Definition ∞ A multi-signature wallet is a type of digital wallet that requires multiple private keys to authorize a transaction.

administrative control

Definition ∞ Administrative control denotes the authority an individual or entity possesses over a digital system, protocol, or asset.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

market

Definition ∞ In the financial and digital asset context, a market represents any venue or system where assets are exchanged between participants, driven by supply and demand dynamics.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

phishing scam

Definition ∞ A phishing scam is a fraudulent attempt to acquire sensitive information, such as usernames, passwords, or private keys, by impersonating a trustworthy entity.

asset

Definition ∞ An asset is something of value that is owned.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

access control

Definition ∞ Access control dictates who or what can view or use resources within a digital system.

Tags:

Tags: