In September 2025, the AI-flavored Web3 social protocol UXLINK lost approximately $41 million after attackers compromised the project's multi-signature wallet and used a delegatecall in a privileged contract to extract treasury funds.
What happened
UXLINK's treasury and admin functions were controlled by a multi-signature wallet. The attackers obtained the private keys for that wallet — the specific vector was not publicly disclosed, but the on-chain pattern (signed by the legitimate signers, no UI-deception artifacts) is consistent with direct key compromise rather than a frontend-based attack.
Once they had the keys, they exploited an unrestricted delegatecall in a privileged contract. Because delegatecall executes the target contract's code in the caller's storage context, the attacker could call into a contract they controlled and have it run with the privileges of the trusted multi-sig — moving any asset, granting any role, calling any external function.
Aftermath
- UXLINK paused the multi-sig and triggered an emergency token migration.
- The team published a post-mortem and rotated all administrative keys.
- Funds were laundered through cross-chain bridges.
Why it matters
delegatecall continues to be one of the most dangerous primitives in EVM design — it routinely turns a contract that should be inert into a fully programmable execution shell for the caller. Best practice is never to expose a privileged delegatecall with attacker-controllable target/calldata. UXLINK is one of several 2025 incidents that reaffirmed the rule.
Sources & on-chain evidence
- [01]protos.comhttps://protos.com/2025s-biggest-crypto-hacks-from-exchange-breaches-to-defi-exploits/
- [02]halborn.comhttps://www.halborn.com/blog/post/year-in-review-the-biggest-defi-hacks-of-2025