In just two days, over 100 million USD evaporated as UXLINK and SFUND faced consecutive hacker attacks. How can the encryption dark forest prevent hidden dangers?

Author: Frank, PANews

On September 22, the cryptocurrency market felt the chill of a sudden drop during the day, and the night brought new frost.

On the evening of September 22, the highly anticipated SocialFi project UXLINK suffered a hacker attack. The attacker exploited a contract vulnerability to steal $4 million worth of assets from the project’s treasury, and created up to 100 trillion tokens out of thin air, subsequently dumping them on-chain to extract funds from the liquidity pool, ultimately profiting over $11 million. As soon as the news broke, market confidence collapsed instantly, with the price of UXLINK tokens plummeting by more than 80% in just a few hours, and its market capitalization evaporating from a high of approximately $140 million to $16.8 million. However, the hacker storm did not subside; just 24 hours later, on the evening of September 23, the native token SFUND of the well-established Launchpad platform Seedify.fund also fell victim. Its cross-chain bridge treasury was drained by hackers, with assets worth over $1.7 million looted, causing the price of SFUND to crash, setting a new historical low, and its market capitalization evaporating again by over $10 million.

In two days, two seemingly unrelated projects saw their market value of over 100 million dollars vanish under the precise strikes of hackers. This inevitably leads every practitioner and investor to once again ask themselves: Beyond the volatile market cycles, are the security vulnerabilities lurking deep within the code the sharpest sword of Damocles hanging over the heads of the crypto world?

UXLINK's "Daytime Thunder", a deadly game about permissions

The collapse of UXLINK is a typical "internal explosion" caused by a vulnerability in smart contract permissions. The entire event unfolded like a meticulously orchestrated tech crime movie, swift and deadly.

The main cause of the incident stems from a neglected "master key." Analysis shows that the first step taken by the attacker was to execute a deleGateCall function call. This transaction removed the legitimate admin role from the UXLINK contract and added a new multi-signature owner controlled by the hacker.

According to revelations from Cyvers Alerts, after gaining full management control, the hackers immediately began transferring assets from UXLINK's treasury wallet. The initially stolen assets included approximately $4 million in USDT, $500,000 in USDC, 3.7 WBTC, and 25 ETH. This step locked in direct and guaranteed profits for the attackers.

Subsequently, the attacker entered the most destructive phase: minting tokens without authorization. On-chain data shows that the attacker created as many as 100 trillion new UXLINK tokens. This activity also completely destroyed market confidence, even though UXLINK quickly responded and communicated with several major CEXs to suspend trading. However, the on-chain price collapsed due to the massive issuance, with the lowest price even reaching six decimal places, nearly going to zero. A scene similar to the infinite issuance of LUNA played out again.

As of September 23, according to the on-chain price, the market cap of UXLINK is approximately around 80 dollars.

Holding an almost unlimited supply of UXLINK tokens, the attackers began a planned sell-off across major decentralized exchanges. To create confusion, they operated using at least six different wallets, exchanging newly minted UXLINK tokens for high-value assets. On-chain analysis company Lookonchain reported that the attackers gained at least 6,732 ETH from these sales, valued at approximately 28.1 million USD at the time. However, there are currently two divergent views on this profit asset on social media, with several security companies (including the loss amount cited by the official UXLINK being 11.3 million USD).

However, regardless of the calculation method used, it pales in comparison to the severity of the losses suffered by the community this time. Before the crash, the market capitalization of UXLINK was about $150 million, while after reaching the lowest price, the market capitalization displayed by centralized exchanges fell to $16 million, resulting in an evaporated market capitalization of about $100 million for the community.

During this process, many users mistakenly believed that hackers would stop after stealing the vault assets, so they planned to bottom fish and take a gamble. On social media, many users shared that they intended to try to profit from a rebound by buying spot or opening long contracts, but ended up losing more than 99%. The largest address invested over $900,000 in assets, ultimately losing 99.8%.

The "darkest moment" of the star project, where will UXLINK go from here?

The day before the attack, UXLINK's official account also posted a tweet saying, "Something big is about to happen," but little did they expect it to be prophetic.

After the incident, the UXLINK official team responded quickly, stating that they urgently contacted multiple CEXs to suspend UXLINK trading and would initiate a token swap plan. However, due to the inability to recover the contract permissions, they were unable to prevent the hacker from issuing a trillion-level token increase. As a result of this severe blow, the confidence in UXLINK within the community and the ecological development will face huge challenges.

Before being attacked, UXLINK was one of the most关注的 star projects in this cycle, especially in the Korean market, where its influence cannot be underestimated. As a SocialFi platform, UXLINK has accumulated a large user base in a short time thanks to its unique "familiar social" and group fission model. According to public information, the project has raised over $9 million in total financing, with well-known institutions among the investors.

UXLINK regards South Korea as a core market, investing significant resources in localized operations and marketing, accumulating a large number of real users. According to official data, UXLINK achieved a milestone of over 10 million registered users by 2024.

Subsequently, UXLINK successfully launched on Upbit, the largest compliant exchange in South Korea, and has topped the daily trading rankings of major South Korean exchanges Upbit and Bithumb multiple times. Additionally, perpetual contracts have successfully launched on Binance, further expanding its global influence.

After the attack, the UXLINK team stated that they would formulate a new token replacement plan to compensate affected users through methods such as snapshots. However, the road ahead is still fraught with difficulties.

The biggest challenge comes from the rebuilding of trust and the attitude of exchanges. Especially for compliant exchanges like Upbit, the stability and security of the token economic model are core considerations for listing tokens and maintaining trading pairs. Historically, there have been many precedents of delisting due to similar events. For example, the former Pundi AI (PUNDIX) was delisted by compliant exchanges in South Korea like Upbit for "untimely information disclosure" after suffering a hacker attack that led to an abnormal increase in token issuance.

The current situation faced by UXLINK is highly similar to this. If its new token scheme cannot convince Upbit and other exchanges that it can thoroughly fix the vulnerabilities and restore a healthy economic model, then being "delisted" will be a high probability event. Once it loses liquidity in its core market, it will be extremely difficult for UXLINK to make a comeback.

Coincidentally, the alarm of SFUND and the industry's reflection.

Just as the market was still digesting the impact of the UXLINK incident, on the evening of September 23, the theft of the governance token SFUND from the Web3 project incubation and launch platform Seedify.fund sounded the alarm for the entire industry once again.

The attack principle of SFUND is similar to that of UXLINK. According to Specter's revelations, the hackers of SFUND increased the issuance of tokens after gaining access in Baseshang, with a maximum issuance of 3 zillion (10 to the power of 24) tokens.

Subsequently, 10 billion tokens were minted on the BSC chain and sold for $1.2 million in ETH. According to previous related information, this hacker has a clear connection with the North Korean hacker group Serenity Shield.

Although the amount stolen this time is not large, the impact on market confidence is equally significant. Within 15 minutes, the price of SFUND plummeted by 73%, with its market cap dropping from 27 million dollars to a low of 11 million dollars. The script is highly similar to UXLINK; it is just unclear whether this is a coincidence or if both attacks are from the same hacker group.

Although the complete security reports of the two incidents have not yet been released, we can still gain some insights from them. The underlying reasons for both incidents stem from issues related to contract permissions and the toggling of token minting.

The founder of SFUND emphasized in a warning message that their contract has been audited and has been running for three years. This indicates that audits are not a panacea, and routine audits may not uncover all deep logical vulnerabilities; continuous security audits and code reviews are crucial.

However, for users, we do not have the capacity to review contracts and their operational logic. How to avoid pitfalls has indeed become a profound subject. A simpler approach might be that even when hoarding coins in the spot market, some necessary stop-loss orders should be set to prevent devastating losses in the event of a black swan event.

Secondly, during these two events, many users held a fluke mentality and attempted to bottom fish early, resulting in significant losses. Such actions are akin to licking blood from a knife's edge and are inadvisable.

In addition, the project party proposed a "snapshot swap" plan, which typically records all users' holdings based on a certain point in time before the attack occurs, and issues a new coin to users in proportion to their holdings. The essence of this plan is to remedy the situation after the fact and does not represent a way to compensate for all losses.

From UXLINK to SFUND, within two days, we witnessed how a code vulnerability can instantly destroy the value and ecosystem of a project like a domino effect. This once again proves that in the dark forest of cryptocurrency, security is always "1", while other brands, communities, and market values are just "0" behind it. Without the "1" of security, everything else is meaningless. For project parties, it is essential to treat every line of code with the utmost reverence. For investors, while chasing high returns, potential security risks must be prioritized in decision-making. Otherwise, the next project to hit zero could be just around the corner.