Hacker Steals $70 Million from UPCX, Targets Developer Wallet Using Smart Contract

UPCX, a Web3 payment service, suffered a serious hack and lost $70 million in UPC tokens when an unauthorized user accessed the tokens from a smart contract. The developers became aware of the hack when they noticed multiple suspicious transactions exiting their project wallets.

The hacker first accessed the project’s addresses and then upscaled the attack using the ProxyAdmin contact, withdrawing 18.4 million UPC tokens, which amounts to $70 million. The hacker used the function withdrawByAdmin to transfer such a large amount from the developer’s UPCX wallet.

Meir Dolev, Cyvers’ co-founder, said that the exploit had all of the key characteristics of a Web3 attack, including compromised credentials and faulty access control procedures. These issues accounted for 80% of Web3 breaches in 2024. Dolev suggests that developers better use permissions and multi-signatures to control access.

UPCX had been expanding its Southeast Asian market and had a native wallet and mainnet. It was a relatively new project and was still being actively developed. However, the token heavily relied on Ethereum, using the blockchain to build its smart contracts. After the hack, many UPCX holders sold their tokens, effectively making a bank run on the tokens. UPCX was traded on MEXC and Gate.io.

UPCX is an open-source payment system that uses a blockchain to provide services comparable to credit card transactions, namely scalability and transaction speed. UPCX features include User-Issued Assets (UIA) and Market-Pegged Assets (MPA) to make transferring assets easy. The token also aims to create faster settlement rates and a remittance service.

The project used smart contracts to enable various remittance functions, such as scheduling payments and conducting noncustodial escrow. UPCX was developing an SDK for third-party developers, a dedicated API, and point-of-service hardware that would integrate with the token.

The hacker most likely targeted the UPC token because its price recently soared, reaching a high of $5.31 in March. The token’s value and the security holes present made it an attractive target for hackers.

UPCX is spread over 40k wallets and still aims to expand its operations. The weakest link in their project was the smart contracts and project wallets, which were targeted based on their reliance on Ethereum. Unfortunately for the project, many UPC holders have sold their tokens, even though the developers still wish to maintain the project. The hackers stole more UPC tokens than were currently available, lowering the price by 4%.

The hacker stole five times the amount of UPC in circulation, which means that if the hacker decides to sell, the price will drop significantly, making it very difficult to make money from this hack. The hacker has not moved the stolen funds from the new wallet address. The hacker will most likely consider ways to launder and extract the money.