UXLINK Hack: Approximately $11.3 Million Stolen - Technical Analysis
09-24 , 11:46
On September 23, the UXLINK project's multi-signature wallet private key was compromised, resulting in the theft of approximately $11.3 million worth of cryptocurrency assets, which were subsequently transferred to various centralized (CEX) and decentralized (DEX) exchanges. Immediately upon the attack, we collaborated with UXLINK to investigate and analyze the incident and monitored the fund flows. UXLINK promptly contacted major exchanges to request the freezing of suspicious funds, filed a report with law enforcement and relevant authorities to seek legal support and asset recovery. Most of the hacker's assets have been frozen by major exchanges, minimizing further risks to the community. The project team has committed to maintaining transparency with the community, and ExVul will continue to analyze and follow up on the incident.
(https://x.com/UXLINKofficial/status/1970181382107476362)
During the hacker's fund movement, the funds deposited into exchanges have been frozen. Through initial on-chain tracking, it was discovered that the hacker who previously stole UXLINK assets fell victim to an Inferno Drainer phishing attack. Upon verification, approximately 542 million $UXLINK tokens, illegally obtained by the hacker, were stolen using an "authorized phishing" technique.
Hacker's Phishing Transaction: https://arbiscan.io/tx/0xa70674ccc9caa17d6efaf3f6fcbd5dec40011744c18a1057f391a822f11986ee
Unauthorized Mint of 1B $UXLINK: https://arbiscan.io/tx/0x2466caf408248d1b6fc6fd9d7ec8eb8d8e70cab52dacff1f94b056c10f253bc2
1. The previous contract suffered from a malicious operation by a multi-sign Owner or a private key leak, leading to the addition of a malicious address as a multi-sign account. Simultaneously, the contract's signature threshold was reset to 1, requiring only a single account signature to execute contract operations. The hacker set a new Owner address to 0x2EF43c1D0c88C071d242B6c2D0430e1751607B87.
(https://arbiscan.io/tx/0x8504a830e7a7a1ca0308a71130efdebddd78b90a1dcc8a64d7c1d86261754689)
2. The attacker first calls the execTransaction function in the Gnosis Safe Proxy contract. This function serves as the entry point to maliciously remove a multisig member, and all subsequent malicious operations are executed within this transaction.