Original Author: Beosin
Reprint: White55, Mars Finance
On September 23, UXLINK was attacked due to the leakage of the multi-signature wallet private key. The attacker minted UXLINK tokens and sold them for a profit of over $11.3 million. The Beosin security team conducted a vulnerability analysis and fund tracking for this attack incident, and the results are shared as follows:
Event Review
The UXLINK project contract was compromised due to a private key leak, leading to the attacker's address being added as a multi-signature account for the contract and the removal of the original multi-signature accounts. Additionally, the contract's signing threshold was reset to 1, allowing the attacker's address to execute contract operations with just its signature, giving the attacker complete control over the contract. Subsequently, the attacker began to mint additional UXLINK tokens and sell them for profit.
The attacker minted tokens 5 times, using three addresses to receive tokens: 0xeff9cefdedb2a34b9e9e371bda0bf8db8b7eb9a7, 0x2ef43c1d0c88c071d242b6c2d0430e1751607b87, and 0x78786a967ee948aea1ccd3150f973cf07d9864f3 to exchange UXLINK tokens for ETH and DAI through swapping, transferring, and cross-chain activities, storing them on the ETH chain address.
Stolen fund tracking
The following is an analysis by the Beosin security team on the main flow of funds in this security incident:
ARBITRUM chain
Hacker address: 0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c
Stolen address: 0xCe82784d2E6C838c9b390A14a79B70d644F615EB
Amount stolen: approximately 904,401 USDT
After stealing the funds, the hacker exchanged 904,401 USDT for 215.71 ETH and transferred the ETH to the Ethereum address 0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c through cross-chain.
Ethereum chain
Hacker address: 0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c
Stolen addresses: 0x4457d81a97ab6074468da95f4c0c452924267da5, 0x8676d208484899f5448ad6e8b19792d21e5dc14f, 0x561f7ced7e85c597ad712db4d73e796a4f767654
Stolen funds approximately: 25.27 ETH, 5,564,402.99 USDT, 3.7 WBTC, 500,000 USDC
After stealing the funds, the hacker exchanged 5,564,402.99 USDT and 500,000 USDC for 6,068,370.29 DAI, and finally consolidated the funds to the address 0xac77b44a5f3acc54e3844a609fffd64f182ef931, which currently has a balance of: 240.99 ETH, 6,068,370.29 DAI, 3.7 WBTC.
The main capital flow between Ethereum and Arbitrum is shown in the figure below:
According to Beosin Trace analysis, all the stolen funds are still held in multiple addresses of the attacker.
Beosin Trace has blacklisted all addresses related to the attacker and is continuously tracking them. Below is the current balance status of the addresses related to the attacker:
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
