In April 2025, the open-source crypto-payments project UPCX lost approximately $70 million when an attacker gained access to a privileged admin account and used it to deploy a malicious contract upgrade.
What happened
UPCX's protocol contracts were upgradeable, with the upgrade authority gated behind a specific admin role. The attacker compromised that admin account — exact vector was not publicly disclosed but credentials/key exposure is consistent with the pattern — and pushed a malicious implementation that re-routed treasury balances to attacker-controlled addresses.
Because the upgrade was authorised by the legitimate admin signing path, the on-chain action looked superficially identical to a routine upgrade. The malicious implementation went live, drained the treasury, and was rolled back only after the loss was visible.
Aftermath
- UPCX paused its contracts and began emergency response.
- The team rotated admin keys, audited the upgrade surface and migrated to a multi-sig + timelock governance pattern for future upgrades.
- Funds were laundered; no public recovery.
Why it matters
UPCX is a textbook example of why upgradeable contracts must not have single-key upgrade authority. The standard mitigation — multi-sig with a timelock — is well known, but it adds operational friction and is regularly skipped by early-stage projects optimising for shipping speed. UPCX paid roughly $70M for that shortcut.
Sources & on-chain evidence
- [01]protos.comhttps://protos.com/2025s-biggest-crypto-hacks-from-exchange-breaches-to-defi-exploits/
- [02]halborn.comhttps://www.halborn.com/blog/post/year-in-review-the-biggest-defi-hacks-of-2025