The decentralized social platform UXLink announced on Wednesday the deployment of a new Ethereum contract following a multisignature wallet exploit that enabled attackers to mint billions of unauthorized tokens, significantly diminishing the value of its native asset.
UXLink stated that the new smart contract had successfully passed a security audit and would be introduced on the Ethereum mainnet. The project indicated that the mint-burn function had been eliminated to avert similar events in the future.
On Tuesday, the project confirmed the breach, noting that a considerable amount of cryptocurrency was transferred to exchanges. Loss estimates from the incident vary; Cyvers Alerts believes at least $11 million was stolen, while Hacken estimated the figure to be over $30 million.
What remains apparent is that the incident underscored the necessity for projects to address smart contract security vulnerabilities. Marwan Hachem, co-founder and CEO of Web3 security firm FearsOff, told Cointelegraph that the event illustrated the dangers of proceeding without essential security measures.
UXLink exploit emphasizes risks of “centralized control”
Attackers seized control of UXLink’s smart contract via a multisignature wallet breach, initially minting 2 billion UXLINK tokens. As the attacker continued minting, the token’s price plummeted 90% from $0.33 to $0.033, with security firm Hacken estimating nearly 10 trillion tokens were created.
Hachem informed Cointelegraph that the breach stemmed from a delegate call vulnerability within the multisignature wallet. This flaw allowed the hacker to execute arbitrary code and gain administrative control of the contract, which resulted in unauthorized token minting.
“This incident highlights significant design flaws in UXLink’s setup,” Hachem told Cointelegraph. “A multisignature wallet that lacked adequate protection against delegate call exploits, loose controls on who could mint tokens, and the absence of enforced supply caps.”
Hachem warned that this incident illustrated the risks of retaining excessive centralized control in projects claiming to be decentralized.
Related: Crypto.com asserts report of undisclosed user data leak is ‘unfounded’
Importance of timelocks, hardcoded caps, and improved audits
From a technical perspective, Hachem mentioned that the UXLink breach could have been prevented with several standard precautions.
This included implementing timelocks for sensitive actions such as minting new tokens or altering contract ownership. “A 24 to 48-hour delay allows the community to identify any irregularities before proceeding,” Hachem stated.
Another solution involved renouncing minting privileges post-launch of the tokens, ensuring that even insiders could not create additional tokens. Hachem emphasized that hard-coding supply caps directly into smart contracts would mitigate the risk of unauthorized token minting.
On the operational front, Hachem underscored the necessity of independent reviews and continuous transparency.
“An audit should not just cover the token contract; the multisig configuration requires scrutiny as well,” he said, encouraging projects to make wallet addresses public and mandate multiple signatories for every transaction.
The overarching lesson, per Hachem, was that commonly used tools like multisig wallets should not be considered infallible. He advocated for a stronger push towards decentralized governance and emergency stops for critical functions.
“The UXLink incident underscores that hastening without robust and ongoing security measures can erode community trust. It’s better to build layered defenses from the outset,” Hachem told Cointelegraph.
Magazine: XRP emerges as Thailand’s leading asset, Shanghai drops FIL: Asia Express
