UPCX Hack

On April 1, 2025, UPCX, an open-source blockchain-based payment platform utilizing Delegated Proof of Stake (DPoS) and Byzantine Fault Tolerance (BFT) for high-throughput transactions (up to 100,000 TPS), suffered a $70 million exploit when an unauthorized actor compromised a privileged address, likely via private key theft. The attacker upgraded the ProxyAdmin contract to a malicious version, enabling execution of the built-in withdrawByAdmin function to drain 18.4 million UPC tokens—exceeding the circulating supply of approximately 4 million—from three management accounts. Blockchain security firm Cyvers detected the suspicious activity and flagged the transfers to a new address, where the funds remained unsold at the time of detection, avoiding immediate further laundering. UPCX promptly acknowledged the “unauthorized activity,” suspended deposits and withdrawals platform-wide as a precaution, assured users that personal assets were unaffected (impact limited to management/staking wallets), transferred remaining controlled UPC tokens to a secure address, and initiated an investigation with security partners. The UPC token price dipped 7% from $4.06 to $3.77 amid the news, contributing to a broader Q1 2025 Web3 loss total exceeding $2 billion, with access control failures like this (responsible for over 80% of 2024 losses) continuing as a dominant threat. Cyvers CTO Meir Dolev noted similarities to prior exploits involving credential compromises and flawed access controls, emphasizing the need for enhanced wallet permissions, multi-signature (multi-sig) or Multi-Party Computation (MPC) implementations, cold storage, runtime transaction validation, and off-chain key security procedures beyond traditional smart contract audits. This incident, one of the largest in 2025 surpassing March’s $33 million total hacks, highlights ongoing risks in payment infrastructure despite UPCX’s focus on Southeast Asian markets and recent mainnet/wallet launches; no fund recovery or bounty details were announced, and operations remained paused pending full remediation.