UPCX, an open-source payment platform, suffered a significant loss of $70 million worth of tokens. The breach was discovered on April 1, when suspicious activity was flagged involving 18.4 million UPC tokens. Blockchain security firm Cyvers traced the breach to a compromised UPCX address where the ProxyAdmin contract was upgraded by an unauthorized party. The attacker used this vulnerability to execute a function that allowed fund transfers from three different management accounts.
In response, UPCX immediately suspended operations, halting deposits and withdrawals while they investigated the incident. The platform assured users that their assets were unaffected, but the stolen tokens had not been converted into other crypto assets yet. During this time, UPC’s token price dropped by 7%, reflecting the market’s reaction to the breach.
The value of UPC tokens fell from $4.06 to $3.77, showing investor concern over the platform’s security.
The hack follows a pattern seen in previous Web3 exploits, often linked to compromised credentials or flawed access control mechanisms. Meir Dolev, Cyvers’ CTO, stated that these vulnerabilities were responsible for over 80% of stolen funds in 2024. The breach serves as a stark reminder of the need for heightened security measures around wallet permissions, multisignature protections, and transaction validations.
Cyvers noted that this pattern of attack, involving unauthorized access to critical administrative roles, has been commonly observed in similar incidents.
This breach’s scale marks a significant increase in crypto thefts, surpassing previous months’ losses. In March, the total amount stolen in crypto hacks was around $33 million, less than half the amount taken in this attack. The incident underlines the urgency of improving security protocols within Web3 and cryptocurrency platforms, as vulnerabilities continue to be exploited by malicious actors.
Reference:
