The decentralized social platform UXLink announced on Wednesday that it has launched a new Ethereum contract following a multisignature wallet exploit, which enabled attackers to mint billions of unauthorized tokens and led to a collapse in the value of its native asset.
UXLink stated that the new smart contract has undergone a security audit and will be deployed on the Ethereum mainnet. The project mentioned that the mint-burn function has been removed to avert similar incidents in the future.
On Tuesday, the project confirmed the breach, noting that a significant quantity of cryptocurrency was transferred to exchanges. Loss estimates from the hack vary, with Cyvers Alerts estimating losses of at least $11 million, while Hacken reported figures exceeding $30 million.
This incident has underscored the importance of addressing security vulnerabilities in smart contracts. Marwan Hachem, co-founder and CEO of Web3 security firm FearsOff, shared with Cointelegraph that the situation illustrates the perils of proceeding without essential security measures in place.
UXLink exploit highlights “centralized control” risks
Through the breach of UXLink’s smart contract via a multisignature wallet, attackers initially gained control and minted 2 billion UXLINK tokens. The token price plummeted by 90% from $0.33 to $0.033 as the attacker continued minting, with Hacken estimating that nearly 10 trillion tokens were generated.
According to Hachem, the UXLink breach stemmed from a delegate call vulnerability in their multisignature wallet, permitting the hacker to execute arbitrary code and seize administrative control of the contract. This enabled the minting of unauthorized tokens.
“This incident underscores inherent design flaws in UXLink’s setup,” Hachem remarked to Cointelegraph. “A multisignature wallet lacking adequate protection against delegate call exploits, insufficient controls over minting privileges, and the absence of built-in code to enforce a supply cap were all contributing factors.”
Hachem emphasized that this situation reveals the significant risks associated with maintaining excessive centralized control in projects that purport to be decentralized.
Related: Crypto.com denies reports of undisclosed user data leaks as ‘unfounded’
The need for timelocks, hardcoded caps, and better audits
From a technical viewpoint, Hachem asserted that the UXLink hack could have been averted with a few standard precautions.
One recommendation includes implementing timelocks for sensitive actions like token minting or contract ownership changes. “A 24 to 48-hour delay allows the community to identify any unusual activities before they are executed,” Hachem explained.
The second recommendation involves renouncing minting rights once the tokens are launched, ensuring that even insiders cannot create additional tokens. Hachem suggested that hard-coding supply caps directly into smart contracts would mitigate the risk of unauthorized token generation.
Operationally, Hachem underscored the necessity of independent evaluations and continuous transparency.
“It’s not enough to audit just the token contract; the multisig arrangement requires careful examination as well,” he stated, urging projects to make wallet addresses public and insist on multiple signers for each transaction.
The overarching lesson, according to Hachem, is that even commonly used tools like multisig wallets should not be regarded as infallible. He emphasized the importance of advocating for more decentralized governance and establishing emergency stop mechanisms for critical functions.
“UXLink’s incident highlights that advancing without robust and sustained security measures can undermine community trust. It is preferable to strengthen defenses from the outset,” Hachem communicated to Cointelegraph.
Magazine: XRP is Thailand’s top-performing asset, Shanghai dumps FIL: Asia Express
