Over $100 million evaporated in two days, UXLINK and SFUND were attacked by hackers one after another. How can the crypto dark forest prevent hidden attacks?

Within two days, the cryptocurrency projects UXLINK and Seedify.fund (SFUND) suffered major security breaches, resulting in a combined loss of over $100 million in market capitalization.
The UXLINK hack on September 22nd involved an attacker exploiting a smart contract vulnerability to gain administrative control, steal $4 million from the treasury, and mint 10 trillion new tokens, causing the price to crash over 80%.
On September 23rd, the SFUND token was attacked using a similar method, where the hacker gained permissions and minted a massive number of tokens, leading to a 73% price drop and a loss of over $1.7 million in assets.
Both incidents highlight critical vulnerabilities in contract permissions and minting functions, raising serious questions about the effectiveness of one-time audits and the overall security of smart contracts.
The attacks have severely damaged community trust, and both projects are now facing significant challenges, including potential delistings from major exchanges and the difficult task of rebuilding their ecosystems.

By Frank, PANews

On September 22, the cryptocurrency market was still chilled by the sudden drop in the market during the day, and there was new frost at night.

On the evening of September 22nd, the highly anticipated SocialFi project, UXLINK, was hacked. The attackers exploited a contract vulnerability to steal $4 million from the project's treasury, issued a whopping 10 trillion tokens, and then conducted a massive on-chain sell-off to siphon off funds, ultimately profiting over $11 million. The news immediately shattered market confidence, sending the UXLINK token price plummeting by over 80% within hours, with its market capitalization plummeting from a high of approximately $140 million to $16.8 million. However, just 24 hours after the hack, on the evening of September 23rd, the native token SFUND of the long-established launchpad platform Seedify.fund was also affected. Its cross-chain bridge treasury was drained of over $1.7 million worth of assets, sending SFUND's price plummeting to a new all-time low and wiping out over $10 million in market capitalization.

Over the course of two days, two seemingly unrelated projects saw their market capitalizations, totaling over $100 million, wiped out by a targeted hacker attack. This has forced every crypto industry and investor to ask themselves: Beyond volatile market cycles, are security vulnerabilities deep within the code the true sword of Damocles hanging over the crypto world?

UXLINK's "Thunderbolt in the Daytime": A Deadly Game of Permissions

The UXLINK crash was a typical "internal explosion" caused by a smart contract permission vulnerability. The entire incident unfolded like a carefully choreographed tech crime movie: swift and deadly.

The primary cause of the incident stemmed from an overlooked "master key." Analysis revealed that the attacker's first move was to execute a delegateCall function call. This transaction removed the legitimate administrator role from the UXLINK contract and added a new multi-signature owner controlled by the hacker.

According to Cyvers Alerts, after gaining full administrative control, the hackers immediately began transferring assets from UXLINK's treasury wallet. Initially, the stolen assets included approximately $4 million in USDT, $500,000 in USDC, 3.7 WBTC, and 25 ETH. This move secured immediate and guaranteed profits for the attackers.

The attacker then entered the most destructive phase: unauthorized token minting. On-chain data shows that the attacker created a staggering 10 trillion new UXLINK tokens. This activity completely destroyed market confidence. Although UXLINK quickly responded by communicating with several major CEXs to suspend trading, the on-chain price collapsed with the massive issuance, reaching as low as six decimal places before nearly returning to zero. A scenario similar to the unlimited issuance of LUNA was repeated.

As of September 23, according to the on-chain price, UXLINK's market value was approximately US$80.

Armed with a virtually unlimited supply of UXLINK tokens, the attackers began a systematic sell-off across major decentralized exchanges. To obfuscate the situation, they used at least six different wallets to exchange the newly minted UXLINK tokens for higher-value assets. On-chain analytics firm Lookonchain reported that the attackers procured at least 6,732 ETH from these sales, valued at approximately $28.1 million at the time. However, social media is divided on the nature of these proceeds, with several security firms (including UXLINK) citing a loss of $11.3 million.

However, no matter which method is used, the losses suffered by the community this time are more severe. Before the crash, UXLINK's market capitalization was approximately $150 million. After reaching its lowest price, the market capitalization shown on centralized exchanges fell to $16 million, and the community lost approximately $100 million in market capitalization.

During this process, many users mistakenly believed that the hackers would stop after stealing the vault's assets, and therefore attempted to buy the dip. On social media, many users shared that they had hoped to capitalize on a rebound by buying spot or opening long contracts, only to suffer losses exceeding 99%. The largest single address, with over $900,000 invested, ultimately lost 99.8%.

The star project is facing its darkest moment. Where will UXLINK go?

The day before the attack, UXLINK officials also released a tweet, "Something big is about to happen", but it turned out to be a prophecy.

Following the incident, UXLINK officials responded quickly, stating they had contacted multiple CEX exchanges to suspend UXLINK trading and would initiate a token swap. However, due to the inability to reclaim contract permissions, they were unable to prevent the hackers from issuing trillions of tokens. This severe blow will pose significant challenges to UXLINK's community confidence and ecosystem development.

Before the attack, UXLINK was one of the most popular projects of this cycle, particularly in the Korean market, where its influence could not be underestimated. As a social networking platform, UXLINK leveraged its unique "acquaintance-based social interaction" and group-building model to rapidly build a massive user base. According to public information, the project has raised over $9 million in funding, with many well-known investors.

UXLINK regards South Korea as its core market and has invested a lot of resources in localized operations and marketing, accumulating a large number of real users. According to official data, UXLINK has achieved the milestone of over 10 million registered users in 2024.

UXLINK subsequently successfully listed on Upbit, South Korea's largest regulated exchange, and has repeatedly topped the daily trading rankings on Upbit and Bithumb, two major Korean exchanges. UXLINK also successfully launched perpetual contracts on Binance, further expanding its global influence.

After the attack, the UXLINK team stated that it would develop a new token swap plan and provide compensation to affected users through methods such as snapshots. However, the road ahead is still full of thorns.

The biggest challenge lies in rebuilding trust and the exchange's attitude. For compliant exchanges like Upbit, the stability and security of the token economic model are key considerations for listing and maintaining trading pairs. Historically, there are numerous precedents for delisting due to similar incidents. For example, Pundi AI (PUNDIX) was hacked, resulting in an abnormal increase in token issuance. Upbit and other compliant Korean exchanges ultimately terminated trading support for the token due to "untimely information disclosure."

UXLINK currently faces a similar situation. If its new token proposal fails to convince Upbit and other exchanges that it can fully address the vulnerability and restore a healthy economic model, delisting is highly likely. Without liquidity in its core markets, UXLINK's comeback will be even more challenging.

Coincidentally, SFUND’s warning and the industry’s reflection

Just as the market was still digesting the impact of the UXLINK incident, on the evening of September 23, the theft of SFUND, the governance token of Seedify.fund, a Web3 project incubation and launch platform, once again sounded the alarm for the entire industry.

The attack principle of SFUND is exactly the same as that of UXLINK. According to Specter's revelations, the hackers of SFUND obtained permissions on Baseshang and then issued additional tokens, with a maximum issuance of 3 zi (10 to the power of 24) tokens.

Subsequently, 10 billion tokens were minted on the BSC chain and sold for $1.2 million in ETH. Previous related information shows that this hacker has a clear connection to the former North Korean hacker group Serenity Shield.

While the amount stolen this time was relatively small, the impact on market confidence was significant. Within 15 minutes, the price of SFUND plummeted 73%, with its market capitalization dropping from $27 million to a low of $11 million. The scenario is highly similar to the UXLINK attack, but it's unclear whether this was a coincidence or whether both attacks were carried out by the same hacker group.

Although the complete security reports for the two incidents have not yet been released, we can still gain some insights from them. The causes behind both incidents are due to issues with contract permissions and the token minting switch.

When issuing the warning, the founder of SFUND emphasized that its contract had been audited and had been running for three years. This shows that audits are not a panacea, and regular audits may not uncover all deep logical vulnerabilities. Continuous security audits and code reviews are crucial.

However, users lack the ability to review contracts and their operational logic. Avoiding pitfalls has become a profound science. A simpler approach might be to set necessary stop-loss orders, even when hoarding spot coins, to prevent a black swan event that could wipe out all your money.

Secondly, during these two incidents, many users, hoping for a lucky dip, ended up suffering significant losses. This practice is tantamount to playing on the edge of a knife and is not advisable.

Furthermore, the project's proposed "snapshot coin swap" scheme typically involves recording all user holdings at a certain point in time before the attack, then issuing a new coin and redeeming it proportionally to users. This scheme is essentially a last-ditch effort and doesn't guarantee full recovery from losses.

From UXLINK to SFUND, within two days, we witnessed how code vulnerabilities, like falling dominoes, can instantly destroy a project's value and ecosystem. This proves once again that in the dark forest of crypto, security is always the "1," while brand, community, and market capitalization are the "0s" behind it. Without security, everything else is meaningless. Project owners must treat every line of code with the utmost reverence. Investors, while pursuing high returns, must prioritize potential security risks in their decision-making. Otherwise, the next zero could be just around the corner.