Losses exceed $10 million, analysis of the UXLINK security incident vulnerability and tracking of stolen funds.

Original Author: Beosin

Reprint: White55, Mars Finance

On September 23, UXLINK was attacked due to the leakage of the multi-signature wallet private key. The attacker minted UXLINK tokens and sold them for a profit of over $11.3 million. The Beosin security team conducted a vulnerability analysis and fund tracking for this attack incident, and the results are shared as follows:

Event Review

The UXLINK project contract was compromised due to a private key leak, leading to the attacker's address being added as a multi-signature account for the contract and the removal of the original multi-signature accounts. Additionally, the contract's signing threshold was reset to 1, allowing the attacker's address to execute contract operations with just its signature, giving the attacker complete control over the contract. Subsequently, the attacker began to mint additional UXLINK tokens and sell them for profit.

The attacker minted tokens 5 times, using three addresses to receive tokens: 0xeff9cefdedb2a34b9e9e371bda0bf8db8b7eb9a7, 0x2ef43c1d0c88c071d242b6c2d0430e1751607b87, and 0x78786a967ee948aea1ccd3150f973cf07d9864f3 to exchange UXLINK tokens for ETH and DAI through swapping, transferring, and cross-chain activities, storing them on the ETH chain address.

Stolen fund tracking

The following is an analysis by the Beosin security team on the main flow of funds in this security incident:

ARBITRUM chain

Hacker address: 0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c

Stolen address: 0xCe82784d2E6C838c9b390A14a79B70d644F615EB

Amount stolen: approximately 904,401 USDT

After stealing the funds, the hacker exchanged 904,401 USDT for 215.71 ETH and transferred the ETH to the Ethereum address 0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c through cross-chain.

Ethereum chain

Hacker address: 0x6385eb73fae34bf90ed4c3d4c8afbc957ff4121c

Stolen addresses: 0x4457d81a97ab6074468da95f4c0c452924267da5, 0x8676d208484899f5448ad6e8b19792d21e5dc14f, 0x561f7ced7e85c597ad712db4d73e796a4f767654

Stolen funds approximately: 25.27 ETH, 5,564,402.99 USDT, 3.7 WBTC, 500,000 USDC

After stealing the funds, the hacker exchanged 5,564,402.99 USDT and 500,000 USDC for 6,068,370.29 DAI, and finally consolidated the funds to the address 0xac77b44a5f3acc54e3844a609fffd64f182ef931, which currently has a balance of: 240.99 ETH, 6,068,370.29 DAI, 3.7 WBTC.

The main capital flow between Ethereum and Arbitrum is shown in the figure below:

According to Beosin Trace analysis, all the stolen funds are still held in multiple addresses of the attacker.

Beosin Trace has blacklisted all addresses related to the attacker and is continuously tracking them. Below is the current balance status of the addresses related to the attacker: