UPCX Suffers $70M Hack, Token Price Drops 7%

UPCX, a Web3 payment service, recently suffered a significant security breach, resulting in the theft of approximately $70 million in UPC tokens. The hacker exploited a vulnerability in the smart contract system, specifically targeting the ProxyAdmin contract to withdraw 18.4 million UPC tokens from the developer’s wallet. The unauthorized access was detected when developers noticed multiple suspicious transactions exiting their project wallets.

The hacker utilized the function withdrawByAdmin to transfer a substantial amount of tokens from the developer’s UPCX wallet. This incident underscores the vulnerabilities within smart contract systems and the potential for significant financial losses. The hacker's wallet, newly created, became one of the largest holders of UPC tokens following the exploit, highlighting the sophistication of the attack.

Cyvers, a crypto security firm, identified the breach and provided detailed insights into the attack. The hacker did not deposit ETH for gas fees but instead directly interacted with the token contract, executing the transfer with minimal costs and no intermediary steps. This strategic approach underscores the need for enhanced security measures within the crypto ecosystem.

UPCX acknowledged the breach and took immediate action to suspend deposits and withdrawals, assuring users that their assets remained unaffected. The team is actively investigating the incident, but the specifics of the security measures in place have not been fully disclosed. The hacker's identity and strategy for converting the stolen funds remain unclear, as the tokens have not been swapped for other cryptocurrencies. The limited liquidity and trading options for UPC tokens may restrict the hacker's ability to offload the assets, potentially mitigating the impact of the theft.

The incident triggered a price drop for UPC, with the token falling 7% from a high of $4.06 to a low of $3.77 before recovering slightly to $4.01. The breach has raised concerns about the security of open-source crypto payment systems and the potential for similar attacks in the future. The $70 million theft highlights the growing scale of such threats.

Despite the significant financial loss, the broader market impact of the UPCX breach remains uncertain. The project, which began development in late 2023, has seen limited activity compared to other Web3 payment platforms. The hacker's wallet has yet to move the stolen UPC tokens, raising questions about how they intend to cash out. Given that the stolen amount is nearly five times the circulating supply, any liquidation attempt could trigger a sharp price collapse. The UPCX breach stands out for its scale yet relative lack of market disruption. If investigators can track the attackers and freeze the assets, the damage may be contained. Otherwise, the looming threat of liquidation could weigh on UPC’s recovery for the foreseeable future.

UPCX is an open-source payment system that uses a blockchain to provide services comparable to credit card transactions, namely scalability and transaction speed. UPCX features include User-Issued Assets (UIA) and Market-Pegged Assets (MPA) to make transferring assets easy. The token also aims to create faster settlement rates and a remittance service. The project used smart contracts to enable various remittance functions, such as scheduling payments and conducting noncustodial escrow. UPCX was developing an SDK for third-party developers, a dedicated API, and point-of-service hardware that would integrate with the token.

The hacker most likely targeted the UPC token because its price recently soared, reaching a high of $5.31 in March. The token’s value and the security holes present made it an attractive target for hackers. UPCX is spread over 40k wallets and still aims to expand its operations. The weakest link in their project was the smart contracts and project wallets, which were targeted based on their reliance on Ethereum. Unfortunately for the project, many UPC holders have sold their tokens, even though the developers still wish to maintain the project. The hackers stole more UPC tokens than were currently available, lowering the price by 4%.

The hacker stole five times the amount of UPC in circulation, which means that if the hacker decides to sell, the price will drop significantly, making it very difficult to make money from this hack. The hacker has not moved the stolen funds from the new wallet address. The hacker will most likely consider ways to launder and extract the money.