# UXLink Exploit Analysis

## Summary On September 22, 2025, [**UXLINK** officially disclosed through X](https://x.com/UXLINKofficial/status/1970181382107476362) that their protocol had suffered a critical security breach involving their multi-signature wallet infrastructure, confirming an active exploit targeting the platform's core treasury systems. Within minutes of this disclosure, [Blockscope's forensic team initiated comprehensive on-chain tracing operations](https://x.com/BlockscopeCo/status/1970231199147884741) across Ethereum and Arbitrum, systematically mapping the initial theft vectors and asset movement patterns that would soon reveal the sophisticated nature of this attack.

https://x.com/BlockscopeCo/status/1970231199147884741

What initially appeared as a conventional multisig wallet compromise rapidly escalated into a multi-stage exploit when the attacker leveraged a delegateCall vulnerability to escalate administrative privileges, subsequently[ minting more than 10 trillion unauthorized UXLINK ](https://x.com/UXLINKofficial/status/1970318681931669825)tokens before systematically draining liquid assets worth millions through coordinated bridge operations and DEX/CEX liquidation pathways.

https://x.com/UXLINKofficial/status/1970318681931669825

Based on Blockscope's comprehensive ledger-level forensic analysis, **over $41 million in assets** have been confirmed as successfully stolen by the exploiters through systematic token minting, direct treasury drainage, and strategic conversion operations across multiple blockchain networks. [UXLINK](https://x.com/UXLINKofficial), a Web3 social infrastructure platform serving **55M+ users** with AI-powered Social Growth and Graph IP, went from steady momentum to a cautionary tale on September 22 after a smart-contract error triggered catastrophic liquidity depletion and a **\~70% token collapse**, shattering market confidence. This investigation reconstructs the exploit end-to-end, technical forensics, on-chain flows, and remediation, and extracts practitioner-grade lessons for Defi security.

## Decoding the Exploit The UXLINK exploit originated from a critical delegateCall vulnerability within the protocol's multi-signature wallet infrastructure, which allowed external callers to execute arbitrary code within the wallet's security context and bypass all intended access controls. The attacker systematically leveraged this flaw to execute a sophisticated privilege escalation attack, using delegateCall to remove existing administrative roles and invoke the "addOwnerWithThreshold" function, effectively installing themselves as the authorized wallet owner with unrestricted access to all treasury functions. Using Contract Analysis and Transaction Decoder tool we were able to see how the Primary Exploiter `0x2ef43c1d0c88c071d242b6c2d0430e1751607b87` levraged the flaw, eventually removing all the owners of the multisigs.

Flowchart showing the exploiter removing multisig ownership from UXLink’s main storage contracts.

This [initial breach resulted in the immediate drainage of \~12 million](https://x.com/BlockscopeCo/status/1970231199147884741) in liquid assets across Ethereum and Arbitrum networks, including $4 million in USDT, $500,000 in USDC, 3.7 wrapped Bitcoin, and 25 ETH, alongside millions of native UXLINK tokens from the compromised multisig wallets The exploit’s second phase saw the exploiter mint trillions of unauthorized UXLINK tokens, mostly on Arbitrum, and quickly convert the stolen assets and $UXLINK into DAI, and eventually to nealry 6700 ETH, worth nearly $28 Million and bridging the proceeds from Arbitrum to the Ethereum mainnet using [Across Protocol](https://across.to/) and [Defiway](https://defiway.com/).

Transcation Decoder shows, in on of the unauthorized minting transaction, the exploiter minted 10 trillion $UXLINK; Tx: 0x702189323aa5ddbd839b077cc27cede0550abc106ab89084ea2e069505a87577

Post-bridge, the attacker **consolidated value into ETH, wBTC & DAI on Ethereum**, by executing rapid swaps across DEX, majorly levraging Cowswap, and currently, the exploiter is holding all the funds on Ethereum. However, in a remarkable twist of irony, the attacker fell victim to their own vulnerability when [they unknowingly approved a malicious phishing contract](https://x.com/realScamSniffer/status/1970322013597450609) controlled by the Inferno Drainer network, resulting in the loss of \~542 million UXLINK tokens worth approximately $48 million during the asset shuffling process.

Tx. (Arbitrum): 0xa70674ccc9caa17d6efaf3f6fcbd5dec40011744c18a1057f391a822f11986ee

## On-Chain Activity The exploiter executed a near-simultaneous multisig takeover on Ethereum and Arbitrum, first pruning signers (via `removeOwner`-style updates) to seize execution control and open transfer/mint vectors. On Arbitrum, the adversary immediately minted unauthorized $UXLINK at extreme scale (in trillions), along with draining some crypto as illustrated in **Tracer 1.**

In parallel on Ethereum, the **Primary Exploiter** initiated the treasury drain; **Tracer 2** traces early inflows into `0xb819e6ae5a6668bb0ce02d64d130deca9ff83691` & `0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c` , which aggregate roughly **$12M** across USDC, USDT, WBTC, and ETH, reflecting a coordinated siphon rather than opportunistic dust collection.

With mint pressure established, the exploiter shifted into consolidation and egress. The strategy was straightforward: dump UXLINK → acquire ETH → bridge to Ethereum for deeper liquidity and broader off-ramps. This leg leveraged multiple DEX routes and DeFi primitives to minimize price impact and MEV capture while obscuring deterministic paths as shown in the **Tracer 3.**

After landfall on Ethereum, flows show a defensive rebasing into DAI-ETH positions to reduce volatility, freezing and slippage risk ahead of CEX attempts or further routing. The resulting stack now fans out across **\~10 holding addresses** as shown in **Tracer 4**, a classic distribution pattern that balances fragmentation with operational control.

## Breakdown and Timeline ### September 16, 2025 at 10:59 AM UTC The primary exploiter **`0x2ef43c1d0c88c071d242b6c2d0430e1751607b87`** first receives seed capital via **ChangeNOW**, then shortly after **bridges to Arbitrum through Across Pool**, pre-positioning liquidity on the target domain. This deliberate funding-and-bridging sequence reads as staging for the main operation rather than opportunistic movement.

Transactions show the exploiter receiving funds and soon bridging a portion via Across Protocol.

By decoding the bridge tx. using our AI investigator, we were able to verify the funds went to Arbitrum as initial funding; Tx (Ethereum): 0xc5157a78f4968c1f8ffc5b50f7c66a7d5b8db77fd6b2a8cec4c5e12e230ccf6a

### September 22, 2025 at 2:45 PM UTC Once aware of the vulnerability, likely well in advance, given the staging observed roughly a week prior, the exploiter struck both chains nearly simultaneously. Our AI Investigator’s reconstruction of the earliest transaction shows the attacker **seizing control of the multisig** by **removing the other three owners**, thereby transferring full execution authority to the attacker-controlled address.

Tx (Ethereum): 0x8130252ac8207e563d2bfd1ff6a496990630e9579f757f03c21ebb555b62df9e

Similarly on Arbitrum, the exploiter proceeded to change ownership and, in subsequent transactions, invoked the UXLINK contract to mint tokens at scale.

Transactions tab of Primary exploiter on Arbitrum

### September 22, 2025 at 2:54 PM UTC Once getting ownership, the first drain happens on Ethereum with two addresses which were funded by ChangeNow too, `0xb819e6ae5a6668bb0ce02d64d130deca9ff83691` & `0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c`, draining nealry \~$12M in USDC, USDT, wBTC and ETH.

Wallet profiler shows net token flows of `0xb819e6ae5a6668bb0ce02d64d130deca9ff83691`

### September 22, 2025 at \~3:00 PM UTC Once control was consolidated across the exploiter’s addresses, unauthorized minting on Arbitrum began, initially in the millions and escalating to transactions minting **up to 10 trillion $UXLINK.** (Tx: `0x702189323aa5ddbd839b077cc27cede0550abc106ab89084ea2e069505a87577`)

Wallet Profiler shows minting and swaps were happening systematically.
Wallet profiler shows token transfers of one of the early exploiter's address: `0x9d3b2d0e7925ed46c4a767acebfa013f9ab7d7cd`

### September 22, 2025 at \~3:20 PM UTC While tokens were being minted and swapped, the exploiter bridged the resulting ETH to Ethereum via **Across Pool and DeFiway**. To date, our tracing attributes **\~6,700 ETH (nealry\~$28M)** to this leg.

Tracer shows bridging of ETH from Arbitrum to Ethereum.

Meanwhile the bridged funds were being swapped for DAI on Ethereum, and being transferred to consolidation addresses. We were able to successfully trace nearly $26.5 Million worth of ETH bridged to Ethereum.

### September 25, 2025 at 2:15 AM UTC Nearly \~$41M worth of DAI and ETH are being held by ten addresses on Ethereum, waiting for the next move, while a majority of the funds are being seized by various instituions on Arbitrum. The table below lists all the addresses holding funds on Ethereum: | Addresses Holding Funds | | ------------------------------------------ | | 0x64ab9377a2b3bbb61dd79f8997e7f8c1cc1a4de8 | | 0x7277c705b5b1963b602cb4e3ab8e188d925bed00 | | 0xf35dde49a1bbe7a8883a8f35d48fb33c20a69b39 | | 0x7e1f34418e2da204a8eabdb29eddf7c09a494a3f | | 0x5210bfdf0cfe6471322d597d16cf440f5ac59309 | | 0xac77b44a5f3acc54e3844a609fffd64f182ef931 | | 0xd7aa2bd9e9407f682a379bed346088b0849b6434 | | 0x714dda349ef43326791f923e8389a21d11378c67 | | 0xa3ce95ac672b62ed75afbe6f50285c28ef717a44 | | 0xaade027d63ea859a4993961a8a8cc5aae3f020f3 | #### Additional Information Although this exploit was majorly active on Arbitrum and Ethereum, traces of the exploiter can be seen on Binanace Smart Chain too, with some activity of nealry $27K worth of assets in BUSDC, KILO and SOLV.

## Advanced Forensics and Monitoring Industry estimates for realized losses range widely—**\~$11.6M**, **\~$31M**, even **\~$45M**—because methodologies and considertaions differ . Our ledger-level attribution, constrained to realized proceeds under attacker control, confirms **\~$41M** to date. Every address in scope has been vetted with **cluster analysis** and **counterparty screening** to exclude third-party, victim, or scam wallets from the totals. In the first visualization below, two coherent clusters emerge: * a **funding cluster** seeded via **ChangeNOW**, comprising the primary exploiter and auxiliaries; * a **bridging cluster** receiving inflows from **Arbitrum** through Across Pool & DeFiway.

The second view links roles to behavior: the **right-hand cluster** maps to the **multisig drains**, while the **left-hand cluster** aggregates **bridged proceeds**, with both ultimately **consolidating into fresh holding wallets**. This separation of **drain vs. bridge roles** explains the variance in public tallies and underpins our stricter, realized-only accounting.

### Continuous Monitoring We have monitored this incident from day one and deployed **Blockscope Watchtower** coverage on all 10 current holding addresses. Track live movements, labels, and alerts here: **Public Watchtower:** [**https://www.blockscope.co/community/watchtowers/68d466735e4e2b61e527142a**](https://www.blockscope.co/community/watchtowers/68d466735e4e2b61e527142a) ## **Conclusion** The lone bright spot in this incident is UXLINK’s **measured, transparent communication**. Despite the lapse, the team has consistently acknowledged responsibility, issued frequent status updates, and taken pragmatic steps to protect user funds and stabilize the project. As of today, they report that a majority of the unauthorized tokens have been seized, and [new, audited contracts are deployed](https://x.com/UXLINKofficial/status/1971017352058974395), signals of a disciplined recovery posture rather than damage control.

https://x.com/UXLINKofficial/status/1971017352058974395

This was one of the most eventful security incidents in recent memory, chaotic flows, an exploiter who was phished mid-operation, and hours of uncertainty. Moments like this are exactly where firms like **Blockscope** add value: real-time on-chain monitoring, advanced forensics, and disciplined attribution that separates signal from noise. These capabilities don’t just explain what happened, they help stakeholders contain exposure, coordinate response, and harden controls for the next attempt. That is the difference between being surprised by an incident and staying ahead of it. **Written by**: [Tushar Tiwari](https://in.linkedin.com/in/tushar-tiwari-1380271b7), Blockchain Forensics Analyst @ Blockscope For more information, please reach out to us at ****

Disclaimer: Best Effort Investigation This investigation and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations: * The data used in this investigation may contain inaccuracies, omissions, or errors. * Information sources may be incomplete or subject to change. * New evidence may emerge that could alter the conclusions. * Analysis and interpretations are based on current understanding and may evolve. We have made every reasonable attempt to ensure accuracy, but cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://research.blockscope.co/uxlink-exploit-analysis/uxlink-exploit-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.