$41M UXLINK Treasury Heist: Admin Access Stolen, Infinite Tokens Minted, Attacker Phished in Stunning Web3 Collapse
Source: UXLINK Rekt
UXLINK’s treasury was emptied across multiple blockchains in a high-impact hack that began with a simple but catastrophic delegateCall. This vulnerability allowed someone with multisig access to effectively remove existing admins and install themselves as the new sole owner of the vault-triggering a series of devastating thefts and token inflation.
The Admin Takeover: When Trusted Access Turns Rogue
- The attacker wasn’t a typical hacker exploiting a smart contract bug.
- Instead, the breach was an administrative betrayal: an insider or compromised admin key holder hijacked control.
- One function call booted out old admins; another installed a malicious new admin.
- The contract blindly obeyed whoever held the keys-showcasing the risks when admin trust is absolute.
Initial Damage: Millions Gone in Minutes
- On Ethereum Mainnet alone, initial losses reached about $6.6M across ETH, USDT, wBTC, USDC.
- A second wave of theft on Ethereum added approximately $11.3M, including DAI, USDT, USDC, and wBTC.
- On Binance Smart Chain (BSC), smaller sums totaling about $27K were also stolen.
- Combined, the initial theft was nearly $18 million.
Infinite Token Minting & Multi-Chain Laundering
- After draining treasury assets, the attacker exploited UXLINK’s mint function.
- They minted trillions of unauthorized tokens, severely inflating UXLINK’s token supply.
- These rogue tokens were swapped across chains (Arbitrum to Ethereum) for ETH worth over $41 million total.
- Multiple wallets and decentralized exchanges were used to launder the stolen assets effectively.
Cosmic Justice: Attackers Attacked
- Just as the attacker was cashing out, they fell prey to a phishing attack.
- At 02:15 UTC on September 23, 542 million unauthorized UXLINK tokens were drained from the attacker’s wallet.
- The stolen tokens ended up with the infamous Inferno Drainer, a phishing group specialized in extracting crypto from wallets.
- SlowMist confirmed even skilled hackers can fall victim to phishing scams – a reminder that security flaws aren’t limited to protocols, but people too.
The Fallout: Silence, Panic, and Token Swap
- UXLINK initially remained quiet while the treasury drained.
- Only after nearly an hour did they acknowledge the security breach.
- Panic ensued: UXLINK’s token price plummeted from $0.30 to $0.072 as unauthorized tokens flooded exchanges.
- UXLINK launched a token swap, migrating to a new fixed-supply contract on Ethereum without mint permissions.
- They excluded “illegally issued” tokens from the swap and promised compensation plans depending on recoveries.
- Law enforcement and forensics firms got involved, but most stolen funds remain untraceable.
Lessons Learned: The Human Element is the Weakest Link
- UXLINK’s hack wasn’t caused by a smart contract flaw but by an insider or compromised privkey.
- This raises a fundamental question-who truly controls on-chain assets when admin keys can be misused?
- While DeFi bugs can be patched transparently, admin key compromises often get swept under the rug.
- This incident underscores the dangers of trusting any single point of control in Web3 projects.
Key Takeaway:
This hack exposes the vulnerability of multisig wallets when admin keys fall into the wrong hands. The fallout-multi-chain theft, infinite token minting, and eventual phishing of the attacker-reveals that Web3 security is as much about human practices as it is about code.
For developers, founders, and security researchers: always assume the worst from internal access. Build with minimal trust and robust monitoring, because in Web3, administrative control is often the true attack vector.
