UXLink Hack Shows Need for Timelocks, Hardcoded Caps and Audits

Decentralized social platform UXLink said on Wednesday it was deploying a new Ethereum contract after a multisignature wallet exploit allowed attackers to mint billions of unauthorized tokens and crash the value of its native asset.

UXLink said its new smart contract had passed a security audit and would be deployed on the Ethereum mainnet. The project said the new contract dropped the mint-burn function to prevent any similar incidents in the future. 

The project confirmed the breach on Tuesday, saying that a significant amount of crypto was transferred to exchanges. Estimates of the losses from the hack vary, with Cyvers Alerts estimating it saw at least $11 million stolen, and Hacken placing the figure at more than $30 million. 

What is clear is that the incident highlighted smart contract security flaws that projects should address. Marwan Hachem, co-founder and CEO of Web3 security firm FearsOff, told Cointelegraph that the incident highlighted the risks of rushing ahead without the necessary security layers. 

UXLink exploit highlights “centralized control” risks

Attackers took control of UXLink’s smart contract through a multisignature wallet breach and initially minted 2 billion UXLINK tokens. The token’s price dropped 90% from $0.33 to $0.033 as the attacker continued minting, with security firm Hacken estimating nearly 10 trillion tokens were created.

Hachem told Cointelegraph that the UXLink breach came from a delegate call vulnerability in their multisignature wallet. This allowed the hacker to run arbitrary code and take over the administrative control of the contract. He added that this led to the minting of unauthorized tokens.

“This really spotlights some design flaws in UXLink’s setup,” Hachem told Cointelegraph. “A multisignature wallet that wasn’t properly shielded from delegate call exploits, lax controls on who could mint and no built-in code to enforce the supply cap.”

Hachem said this showed how risky it was to “keep too much centralized control in projects that claim to be decentralized.”

Related: Crypto.com says report of undisclosed user data leak ‘unfounded’

The need for timelocks, hardcoded caps and better audits

From a technical standpoint, Hachem said the UXLink hack could have been avoided with a few standard safeguards. 

This included adding timelocks to sensitive actions like minting new tokens or changing contract ownership. “A 24 to 48-hour delay gives the community a chance to spot anything unusual before it goes through,” Hachem said. 

The second solution included renouncing minting privileges once the tokens were launched, so that not even insiders could create more. Hachem said hard-coding supply caps directly on smart contracts would prevent risks of new tokens being minted. 

On the operational side, Hachem stressed the importance of independent reviews and ongoing transparency.

“You can’t just audit the token contract. The multisig setup needs scrutiny, too,” he said, urging projects to make wallet addresses public and require multiple signers on every transaction. 

The broader lesson, according to Hachem, was that even commonly used tools like multisig wallets shouldn’t be treated as bulletproof. He said pushing for more decentralized governance and emergency stops for critical functions were also of utmost importance. 

“UXLink’s incident highlights that rushing ahead without solid and ongoing security can shatter community confidence. Better to layer up defenses from the start,” Hachem told Cointelegraph.