The decentralized social platform UXLink announced on Wednesday that its multi-signature wallet was attacked, resulting in the unauthorized minting of billions of tokens, which caused a significant drop in the value of its native token. The platform has deployed a new Ethereum (ETH) contract.
UXLink stated that the new smart contract has passed a security audit, and the project team plans to deploy it on the Ethereum mainnet. The team mentioned that the minting and burning functions have been removed in the new contract to prevent similar incidents from occurring in the future.
The project confirmed the security breach on Tuesday, with a large amount of cryptocurrency flowing into exchanges. According to Cyvers Alerts, the losses caused by the hacker are estimated to be at least $11 million, while Hacken believes the losses exceed $30 million.
This incident highlights the security risks associated with smart contracts, which the project team urgently needs to address. According to Cointelegraph, Marwan Hachem, co-founder and CEO of Web3 security company FearsOff, stated that this incident underscores the risks of rushing forward without the necessary security layers.
The attacker exploited a vulnerability in the multi-signature wallet to control the UXLink smart contract, initially minting 2 billion UXLINK tokens. As the attacker continued to mint tokens, the price plummeted 90% from $0.33 to $0.033. Security company Hacken estimates that the attacker ultimately minted nearly 100 trillion tokens.
According to Cointelegraph, Hachem stated in an interview that the vulnerability in UXLink stemmed from a delegated call vulnerability in the multi-signature wallet, allowing the hacker to control the smart contract. This enabled the hacker to execute arbitrary code, take over contract management permissions, and subsequently mint tokens without authorization.
"This indeed exposes some design flaws in the architecture of UXLink," Hachem said. "The multi-signature wallet failed to effectively guard against delegated call vulnerabilities, lacked strict restrictions on minting permissions, and did not have built-in code for issuance limits."
Hachem pointed out that this incident ultimately illustrates the risks of excessive centralized control in projects that claim to be decentralized.
From a technical perspective, Hachem believes that the UXLink hacking incident could have been avoided through standard protective measures.
These include setting time locks for sensitive operations such as minting new tokens or changing contract ownership. Hachem stated, "A delay of 24 to 48 hours would allow the community to detect anomalies before the operation."
The second measure is to revoke minting permissions after the token issuance, ensuring that internal personnel can no longer create new tokens. Hachem noted that directly setting an issuance limit in the smart contract can prevent arbitrary minting of new tokens.
On the operational level, Hachem emphasized the importance of independent reviews and ongoing transparency.
He said, "It's not enough to just audit the token contract; the multi-signature setup must also be strictly controlled." He called for the project team to publicly disclose wallet addresses, with every transaction requiring multiple signatures.
Hachem believes that a broader lesson is that even commonly used tools like multi-signature wallets should not be considered absolutely secure. He recommends promoting more decentralized governance while setting up emergency stop mechanisms for critical functions to enhance overall security.
Hachem stated, "The UXLink incident shows that a lack of solid and ongoing security guarantees can severely undermine community confidence. The project team should establish multiple security measures from the very beginning."
Related: Democrat Ian Calderon, who supports Bitcoin (BTC), runs for California governor.
Original: “UXLink Hack Incident Reveals Centralized Control Risks in DeFi Projects”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
