Security

UXLINK Multi-Signature Wallet Exploited, Billions of Tokens Minted

A `delegateCall` vulnerability in a multi-signature wallet allowed administrative control takeover and unauthorized token minting, posing a critical risk of asset inflation and value erosion.
September 25, 20253 min

A translucent blue device with a smooth, rounded form factor is depicted against a light grey background. Two clear, rounded protrusions, possibly interactive buttons, and a dark rectangular insert are visible on its surface
Two large, fractured pieces of a crystalline object are prominently displayed, one clear and one deep blue, resting on a white, snow-like terrain. The background is a soft, light blue, providing a minimalist and stark contrast to the central elements

Briefing

On September 22, 2025, the UXLINK Web3 social infrastructure project suffered a significant security incident due to a delegateCall vulnerability within its multi-signature wallet. This exploit granted attackers unauthorized administrative control, enabling them to mint billions of UXLINK tokens and drain approximately $11.3 million in various cryptocurrencies, including stablecoins and Wrapped Bitcoin. The immediate consequence was a drastic 70% collapse in the UXLINK token’s market price, wiping out $70 million in market capitalization within hours. Compounding the incident, the attacker subsequently lost $48 million of the stolen UXLINK tokens to a phishing scam, highlighting the inherent risks even for malicious actors within the DeFi ecosystem.

The image displays a partially opened spherical object, revealing an inner core and surrounding elements. Its outer shell is white and segmented, fractured to expose a vibrant blue granular substance mixed with clear, cubic crystals

Context

Prior to this incident, the digital asset landscape, particularly within DeFi, has consistently faced persistent vulnerabilities in access control and smart contract design. While cryptographic and bridge security saw improvements in 2024, the UXLINK exploit underscores that fundamental flaws, such as inadequate supply caps and weak administrative controls in seemingly secure multi-signature wallet implementations, remain a critical attack surface. The prevailing risk factors included a lack of robust audit scrutiny on multi-signature setups and the absence of safeguards like timelocks or emergency stop mechanisms.

A sophisticated metallic cubic device, featuring a top control dial and various blue connectors, forms the central component of this intricate system. Translucent, bubble-filled conduits loop around the device, secured by black wires, all set against a dark background

Analysis

The UXLINK incident’s technical mechanics centered on a delegateCall vulnerability within the project’s multi-signature wallet. This specific flaw allowed the attacker to execute arbitrary code, effectively removing existing administrators and installing their own address as the wallet’s owner. With this elevated administrative control, the attacker was able to mint an unauthorized 2 billion UXLINK tokens, leading to severe token inflation and subsequent price collapse. The success of this attack was directly attributable to critical design flaws in UXLINK’s smart contract, including the absence of a hardcoded supply cap and insufficient access controls, which failed to prevent the unauthorized minting and asset drainage.

A translucent blue, rectangular device with rounded edges is positioned diagonally on a smooth, dark grey surface. The device features a prominent raised rectangular section on its left side and a small black knob with a white top on its right

Parameters

  • Protocol Targeted → UXLINK
  • Attack Vector → DelegateCall Vulnerability in Multi-Signature Wallet
  • Initial Financial Impact → $11.3 Million (stolen assets)
  • Token Price Drop → 70% (from $0.30 to $0.09)
  • Market Cap Erased → $70 Million
  • Unauthorized Tokens Minted → Billions (initially 2 billion, later estimated up to 10 trillion)
  • Attacker’s Subsequent Loss → $48 Million (to phishing scam)
  • Affected Asset → UXLINK token, stablecoins, WBTC, ETH, USDC
  • Blockchain Affected → Ethereum (new contract deployment)

A futuristic device with a transparent blue shell and metallic silver accents is displayed on a smooth, gray surface. Its design features two circular cutouts on the top, revealing complex mechanical components, alongside various ports and indicators on its sides

Outlook

In the immediate aftermath, UXLINK has initiated an emergency token swap and is deploying a new Ethereum contract that removes the mint-burn function to prevent future incidents. For users, exercising extreme caution with UXLINK tokens and participating in the official token swap is paramount. This incident will likely establish new security best practices, emphasizing the critical need for comprehensive audits of multi-signature wallet implementations, the integration of timelocks for sensitive operations, and hardcoded supply caps within smart contracts. The contagion risk extends to other DeFi protocols that might rely on similar multi-signature wallet designs or lack robust access control mechanisms, underscoring the necessity for systemic security posture re-evaluation across the ecosystem.

The UXLINK exploit serves as a stark reminder that even foundational security components like multi-signature wallets require rigorous auditing and architectural safeguards to prevent catastrophic administrative control compromises and subsequent asset dilution.

Signal Acquired from → ainvest.com

Micro Crypto News Feeds

delegatecall vulnerability

Definition ∞ A delegatecall vulnerability is a critical security flaw specific to Ethereum smart contracts that utilize the delegatecall opcode.

multi-signature wallet

Definition ∞ A multi-signature wallet is a type of digital wallet that requires multiple private keys to authorize a transaction.

administrative control

Definition ∞ Administrative control denotes the authority an individual or entity possesses over a digital system, protocol, or asset.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

market

Definition ∞ In the financial and digital asset context, a market represents any venue or system where assets are exchanged between participants, driven by supply and demand dynamics.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

phishing scam

Definition ∞ A phishing scam is a fraudulent attempt to acquire sensitive information, such as usernames, passwords, or private keys, by impersonating a trustworthy entity.

asset

Definition ∞ An asset is something of value that is owned.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

access control

Definition ∞ Access control dictates who or what can view or use resources within a digital system.

Tags:

Tags: