On the 22nd, the social web3 application UXLINK confirmed that its multi-sig wallet had been hacked, with over $11.3 million in assets stolen and quickly sold, causing the token price to plummet over 70% within an hour. This incident not only severely damaged the project's market capitalization but also shattered the myth that multi-sig wallets are considered a "last line of defense."
The incident occurred on September 22, 2025. The official announcement stated that the assets stolen included approximately $4 million in USDT, as well as USDC, Wrapped Bitcoin (WBTC), Ether (ETH), and the native UXLINK token. The hackers dispersed the funds across centralized and decentralized exchanges and then sold approximately $800,000 in UXLINK tokens, wiping out over $70 million in market value in just one hour. Investors rushed to withdraw liquidity, pushing the market to the brink of chaos.
Attack Path: The "Secret Door" in the Multi-Signature Mechanism
Yu Xian, founder of blockchain security company SlowMist Technology, analyzed the situation through the X platform and concluded that the key lies in the compromise of the Safe multi-signature wallet's private key. The attacker first obtained the private key and replaced the original multi-signature owner with the address 0x2EF43c1D0c88C071d242B6c2D0430e1751607B87 . They then used the smart contract delegateCall to remove the legitimate administrator and add themselves to the multi-signature using addOwnerWithThreshold . This effectively invalidated the multi-signature mechanism for fund transfers.
"The attacker first steals the private key and then uses a delegateCall to rewrite the multi-signature owner. Traditional multi-signatures without additional verification can be locked by a single key."
This passage points out the biggest blind spot in multi-signature design: once there is a crack in private key custody and smart contract permission management, the security gate will be useless.
Emergency response: Freeze operation in a race against time
Following the incident, the UXLINK team partnered with security firm PeckShield to track the flow of funds and filed freeze requests with multiple CEX and DEX exchanges. Currently, the majority of assets have been locked and have not yet flowed into deep anonymous addresses. Officials emphasized that no direct attacks on user wallets have been detected. They will announce an asset recovery and compensation plan and cooperate with law enforcement agencies to track down those responsible.
The next step for multi-signature wallets: How many more locks can be added to trust?
This incident, one of the largest multi-sig wallet breaches between 2024 and 2025, challenges the simplistic notion that "multi-sig = security." Cryptocurrency projects must remember: first, private key management remains fundamental; second, smart contracts require regular audits and dynamic monitoring; and third, when projects expose their own assets to risk, price fluctuations can erupt in minutes. To rebuild trust in the industry, we must not rely solely on the number of multi-sigs, but must also implement additional safeguards through contract architecture, permission design, and real-time risk monitoring.
The blockchain world is still some distance away from the reality that “what is written into the contract cannot be changed.” When the sword of Damocles falls, the original security halo of multi-signature wallets will be forced to undergo stricter scrutiny.
