UXLink Exploit Analysis

Summary

On September 22, 2025, UXLINK officially disclosed through X that their protocol had suffered a critical security breach involving their multi-signature wallet infrastructure, confirming an active exploit targeting the platform's core treasury systems. Within minutes of this disclosure, Blockscope's forensic team initiated comprehensive on-chain tracing operations across Ethereum and Arbitrum, systematically mapping the initial theft vectors and asset movement patterns that would soon reveal the sophisticated nature of this attack.

What initially appeared as a conventional multisig wallet compromise rapidly escalated into a multi-stage exploit when the attacker leveraged a delegateCall vulnerability to escalate administrative privileges, subsequently minting more than 10 trillion unauthorized UXLINK tokens before systematically draining liquid assets worth millions through coordinated bridge operations and DEX/CEX liquidation pathways.

Based on Blockscope's comprehensive ledger-level forensic analysis, over $41 million in assets have been confirmed as successfully stolen by the exploiters through systematic token minting, direct treasury drainage, and strategic conversion operations across multiple blockchain networks.

UXLINK, a Web3 social infrastructure platform serving 55M+ users with AI-powered Social Growth and Graph IP, went from steady momentum to a cautionary tale on September 22 after a smart-contract error triggered catastrophic liquidity depletion and a ~70% token collapse, shattering market confidence. This investigation reconstructs the exploit end-to-end, technical forensics, on-chain flows, and remediation, and extracts practitioner-grade lessons for Defi security.

Decoding the Exploit

The UXLINK exploit originated from a critical delegateCall vulnerability within the protocol's multi-signature wallet infrastructure, which allowed external callers to execute arbitrary code within the wallet's security context and bypass all intended access controls. The attacker systematically leveraged this flaw to execute a sophisticated privilege escalation attack, using delegateCall to remove existing administrative roles and invoke the "addOwnerWithThreshold" function, effectively installing themselves as the authorized wallet owner with unrestricted access to all treasury functions. Using Contract Analysis and Transaction Decoder tool we were able to see how the Primary Exploiter 0x2ef43c1d0c88c071d242b6c2d0430e1751607b87 levraged the flaw, eventually removing all the owners of the multisigs.

This initial breach resulted in the immediate drainage of ~12 million in liquid assets across Ethereum and Arbitrum networks, including $4 million in USDT, $500,000 in USDC, 3.7 wrapped Bitcoin, and 25 ETH, alongside millions of native UXLINK tokens from the compromised multisig wallets

The exploit’s second phase saw the exploiter mint trillions of unauthorized UXLINK tokens, mostly on Arbitrum, and quickly convert the stolen assets and $UXLINK into DAI, and eventually to nealry 6700 ETH, worth nearly $28 Million and bridging the proceeds from Arbitrum to the Ethereum mainnet using Across Protocol and Defiway.

Post-bridge, the attacker consolidated value into ETH, wBTC & DAI on Ethereum, by executing rapid swaps across DEX, majorly levraging Cowswap, and currently, the exploiter is holding all the funds on Ethereum.

However, in a remarkable twist of irony, the attacker fell victim to their own vulnerability when they unknowingly approved a malicious phishing contract controlled by the Inferno Drainer network, resulting in the loss of ~542 million UXLINK tokens worth approximately $48 million during the asset shuffling process.

On-Chain Activity

The exploiter executed a near-simultaneous multisig takeover on Ethereum and Arbitrum, first pruning signers (via removeOwner-style updates) to seize execution control and open transfer/mint vectors. On Arbitrum, the adversary immediately minted unauthorized $UXLINK at extreme scale (in trillions), along with draining some crypto as illustrated in Tracer 1.

In parallel on Ethereum, the Primary Exploiter initiated the treasury drain; Tracer 2 traces early inflows into 0xb819e6ae5a6668bb0ce02d64d130deca9ff83691 & 0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c , which aggregate roughly $12M across USDC, USDT, WBTC, and ETH, reflecting a coordinated siphon rather than opportunistic dust collection.

With mint pressure established, the exploiter shifted into consolidation and egress. The strategy was straightforward: dump UXLINK → acquire ETH → bridge to Ethereum for deeper liquidity and broader off-ramps. This leg leveraged multiple DEX routes and DeFi primitives to minimize price impact and MEV capture while obscuring deterministic paths as shown in the Tracer 3.

After landfall on Ethereum, flows show a defensive rebasing into DAI-ETH positions to reduce volatility, freezing and slippage risk ahead of CEX attempts or further routing. The resulting stack now fans out across ~10 holding addresses as shown in Tracer 4, a classic distribution pattern that balances fragmentation with operational control.

Breakdown and Timeline

September 16, 2025 at 10:59 AM UTC

The primary exploiter 0x2ef43c1d0c88c071d242b6c2d0430e1751607b87 first receives seed capital via ChangeNOW, then shortly after bridges to Arbitrum through Across Pool, pre-positioning liquidity on the target domain. This deliberate funding-and-bridging sequence reads as staging for the main operation rather than opportunistic movement.

September 22, 2025 at 2:45 PM UTC

Once aware of the vulnerability, likely well in advance, given the staging observed roughly a week prior, the exploiter struck both chains nearly simultaneously. Our AI Investigator’s reconstruction of the earliest transaction shows the attacker seizing control of the multisig by removing the other three owners, thereby transferring full execution authority to the attacker-controlled address.

Similarly on Arbitrum, the exploiter proceeded to change ownership and, in subsequent transactions, invoked the UXLINK contract to mint tokens at scale.

September 22, 2025 at 2:54 PM UTC

Once getting ownership, the first drain happens on Ethereum with two addresses which were funded by ChangeNow too, 0xb819e6ae5a6668bb0ce02d64d130deca9ff83691 & 0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c, draining nealry ~$12M in USDC, USDT, wBTC and ETH.

September 22, 2025 at ~3:00 PM UTC

Once control was consolidated across the exploiter’s addresses, unauthorized minting on Arbitrum began, initially in the millions and escalating to transactions minting up to 10 trillion $UXLINK. (Tx: 0x702189323aa5ddbd839b077cc27cede0550abc106ab89084ea2e069505a87577)

September 22, 2025 at ~3:20 PM UTC

While tokens were being minted and swapped, the exploiter bridged the resulting ETH to Ethereum via Across Pool and DeFiway. To date, our tracing attributes ~6,700 ETH (nealry~$28M) to this leg.

Meanwhile the bridged funds were being swapped for DAI on Ethereum, and being transferred to consolidation addresses. We were able to successfully trace nearly $26.5 Million worth of ETH bridged to Ethereum.

September 25, 2025 at 2:15 AM UTC

Nearly ~$41M worth of DAI and ETH are being held by ten addresses on Ethereum, waiting for the next move, while a majority of the funds are being seized by various instituions on Arbitrum.

The table below lists all the addresses holding funds on Ethereum:

Additional Information

Although this exploit was majorly active on Arbitrum and Ethereum, traces of the exploiter can be seen on Binanace Smart Chain too, with some activity of nealry $27K worth of assets in BUSDC, KILO and SOLV.

Advanced Forensics and Monitoring

Industry estimates for realized losses range widely—~$11.6M, ~$31M, even ~$45M—because methodologies and considertaions differ . Our ledger-level attribution, constrained to realized proceeds under attacker control, confirms ~$41M to date. Every address in scope has been vetted with cluster analysis and counterparty screening to exclude third-party, victim, or scam wallets from the totals.

In the first visualization below, two coherent clusters emerge:

• a funding cluster seeded via ChangeNOW, comprising the primary exploiter and auxiliaries;

• a bridging cluster receiving inflows from Arbitrum through Across Pool & DeFiway.

The second view links roles to behavior: the right-hand cluster maps to the multisig drains, while the left-hand cluster aggregates bridged proceeds, with both ultimately consolidating into fresh holding wallets. This separation of drain vs. bridge roles explains the variance in public tallies and underpins our stricter, realized-only accounting.

Continuous Monitoring

We have monitored this incident from day one and deployed Blockscope Watchtower coverage on all 10 current holding addresses. Track live movements, labels, and alerts here:

Public Watchtower: https://www.blockscope.co/community/watchtowers/68d466735e4e2b61e527142a

Conclusion

The lone bright spot in this incident is UXLINK’s measured, transparent communication. Despite the lapse, the team has consistently acknowledged responsibility, issued frequent status updates, and taken pragmatic steps to protect user funds and stabilize the project. As of today, they report that a majority of the unauthorized tokens have been seized, and new, audited contracts are deployed, signals of a disciplined recovery posture rather than damage control.

This was one of the most eventful security incidents in recent memory, chaotic flows, an exploiter who was phished mid-operation, and hours of uncertainty. Moments like this are exactly where firms like Blockscope add value: real-time on-chain monitoring, advanced forensics, and disciplined attribution that separates signal from noise. These capabilities don’t just explain what happened, they help stakeholders contain exposure, coordinate response, and harden controls for the next attempt. That is the difference between being surprised by an incident and staying ahead of it.

Written by: Tushar Tiwari, Blockchain Forensics Analyst @ Blockscope

For more information, please reach out to us at [email protected]

Disclaimer: Best Effort Investigation

This investigation and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations:

• The data used in this investigation may contain inaccuracies, omissions, or errors.

• Information sources may be incomplete or subject to change.

• New evidence may emerge that could alter the conclusions.

• Analysis and interpretations are based on current understanding and may evolve.

We have made every reasonable attempt to ensure accuracy, but cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available.