TL;DR

KiloEx suffered a $7.5 million exploit due to a critical oracle access control flaw. The attacker manipulated prices across multiple chains after funding via Tornado Cash. Despite five audits, the vulnerability went undetected. KiloEx has suspended operations, filed a police report, and is pursuing recovery while addressing security concerns post-incident.

KiloEx, a multi-chain perpetual protocol, suffered a significant security breach resulting in a $7.5 million loss after an attacker exploited a vulnerability in its oracle system.

The attack was executed through a wallet funded via Tornado Cash, enabling the perpetrator to bypass traceability. Despite its recent expansion across Base, BNB Chain, and Taiko, the protocol failed to address a critical flaw in its oracle implementation.

The exploit did not rely on a sophisticated zero-day vulnerability; instead, it capitalized on a basic oversight, described as “the digital equivalent of walking through an unlocked front door.”

This lapse occurred shortly after the project received support from Binance, highlighting the contrast between its public milestones and internal security posture.

In the aftermath, KiloEx offered a 10% bounty to the attacker in hopes of recovering the stolen funds. The incident raises concerns about the reliability of security practices in emerging DeFi platforms.

As the original commentary noted, “having ‘Kilo’ in your name doesn’t automatically give you the heavyweight security needed in DeFi’s bloodsport arena.”

The security breach at KiloEx escalated rapidly, with early warnings issued by security engineer Chaofan Shou on April 14th. Shou first reported that “KiloEx_perp is hacked. $6M+ loss already. Likely due to price oracle access control issues.”

Shortly thereafter, he confirmed the vulnerability: “Anyone can change Kilo’s price oracle.”

Within just 20 minutes of Shou’s initial alert, Cyvers Alerts corroborated the scale of the exploit, announcing a "$7M HACK ALERT" spanning multiple chains. The attack spread quickly from BNB Chain to Base and Taiko, draining funds at an alarming rate.

KiloEx responded hours later by suspending all platform activity and collaborating with security firms to trace the stolen funds. The incident revealed just how fragile KiloEx's security infrastructure was, particularly its oracle access controls, which allowed unrestricted manipulation of price feeds.

Twitter tweet

The fallout demonstrates how a single overlooked vulnerability can trigger catastrophic losses across interconnected chains, turning what should have been a robust multi-chain deployment into a liability.

Exploit Details:

The exploit that led to KiloEx's $7.5 million loss required no advanced techniques, only a clear path through inadequate access controls.

According to an investigation by SlowMist, the breach stemmed from a flawed MinimalForwarder contract that failed to validate callers or verify signatures. This allowed the attacker to impersonate trusted contracts with ease.

The exploit relied on a chain of misplaced trust between four interconnected contracts: KiloPriceFeed relied on Keeper, Keeper relied on PositionKeeper, and PositionKeeper depended on MinimalForwarder. The breakdown occurred at the root, MinimalForwarder, where forged signatures and absent data validation enabled unrestricted access.

With full control of the price oracle, the attacker manipulated ETH prices at will. By first setting ETH as low as $100, opening highly leveraged long positions, then inflating prices to $10,000, they executed a rinse-and-repeat strategy to drain funds. The Base chain alone lost $3.12 million.

While Pyth Network served as the underlying oracle provider, the breach was entirely due to KiloEx’s insecure implementation. The attacker exploited this weakness without leaving substantial traces, showcasing how insecure architecture can become a gateway for massive theft.

Tracing the Attack:

The attacker behind the KiloEx exploit demonstrated a high level of coordination and preparation, beginning with the use of Tornado Cash, a well-known crypto mixer, to fund their activities.

The wallet first appeared on April 13, one day before the exploit, indicating premeditation. The originating wallet was:
0xa0fa4ab8ded0c07085d244e1981919b440f78b609e1cf8d7f8ee32d358dfdf46

From there, the attacker launched synchronized attacks across Base, BNB Chain, Taiko, opBNB, and Manta, exploiting the same vulnerability on each network. The precise timing and execution reflect deliberate targeting.

All exploits were linked to the following Ethereum address:
0x00fac92881556a90fdb19eae9f23640b95b4bcbd

Attack Details:

Base Chain:

• Address: 0x00fac92881556a90fdb19eae9f23640b95b4bcbd

• Transaction 1 ($3.13M): 0x6b378c84aa57097fb5845f285476e33d6832b8090d36d02fe0e1aed909228edd

• Transaction 2 ($187k): 0xde7f5e78ea63cbdcd199f4b109db2a551b4462dec79e4dba37711f6c814b26e6

• Transaction 3 ($11k): 0xf0fcce0807a82041d050a60461e187f0e81a6f7fbda69bb600c04049d924e138

BNB Chain:

• Address: 0x00fac92881556a90fdb19eae9f23640b95b4bcbd

• Transaction 1 ($893k): 0x1aaf5d1dc3cd07feb5530fbd6aa09d48b02cbd232f78a40c6ce8e12c55927d03

• Transaction 2 ($10k): 0x38b25be14b83fd549d5e0b29ba962db83d41f5f9072d0eac4f692fa8e7110bc0

opBNB:

• Address: 0x00fac92881556a90fdb19eae9f23640b95b4bcbd

• Transaction 1 ($2.9M): 0x79eb28ae21698733048e2dae9f9fe3d913396dc9d93a0e30d659df6065127964

• Transaction 2 ($205.5k): 0xcfc679a66f1d2966dbe83bb827409c40f29f881c20128107ae73e93ab55c65e4

• Transaction 3 ($14k): 0x783d56ce53af6d59c7c4be374ff48a66257733fadf5905526b5862a54917889f

Taiko:

• Address: 0x00faC92881556A90FdB19eAe9F23640B95B4bcBd

• Transaction ($41k): 0x9bce6e105cea138fe9fb1e4bfb63fe90d21817db9d2cc6d1bf7697317430215b

Manta:

• Address: 0xd43b395efad4877e94e06b980f4ed05367484bf3

• Transaction ($100k): 0x06074831103a1e91c7b6dcb3b641cf4b79bfa208ea75e99cf9b5100d60a82df5

The attacker also used a separate Ethereum address to bridge funds:
0x551f3110f12c763D1611d5A63B5F015d1c1a954C

In total, the amount stolen is estimated at approximately $7,491,500.

By the time SlowMist’s MistTrack flagged the attacker’s addresses, the stolen funds were already being moved across various blockchain bridges, including zkBridge, deBridge, and Meson.

These once-promising cross-chain protocols, intended to enhance DeFi's borderless potential, now served as ideal avenues for the attacker to launder the stolen funds.

In response, KiloEx quickly urged "all partner protocols and platforms to blacklist this address" while working with security partners to track the flow of the stolen assets. This is becoming a common response in the DeFi space, where security breaches have become an unfortunately predictable pattern.

In such a severe security violation, what more can a platform do beyond sending a strongly worded request to the blockchain?

Consequences:

KiloEx’s response to the attack came swiftly, but it followed the familiar steps seen in many DeFi hacks: suspend trading, blacklist addresses, and trace the stolen funds. This reaction, while necessary, was akin to locking the door after the burglars had already made off with the loot.

The following day, the platform announced that the vulnerability had been identified and would be fixed soon, a revelation that seemed more like a formality than a breakthrough, after all, the damage had already been done.

Twitter tweet

It was like discovering the front door was broken after the valuables were taken.

The platform then made its offer to the hacker: return 90% of the $7.5 million, keep 10% as a "whitehat bounty," and KiloEx would even send out a tweet acknowledging the cooperation. The message, however, felt more like a desperate plea than a genuine negotiation.

Their statement, dripping with an air of desperation masked as strength, read: "Our investigation, supported by law enforcement, cybersecurity agencies, and multiple exchanges & bridge protocols, has uncovered critical information about your activities."

KiloEx’s plea to the attacker could be summarized simply: return the funds. However, the attacker has remained silent, with their wallets still untouched and holding the full $7.5 million in stolen assets.

In response, KiloEx has filed a police report in Hong Kong and stated they are cooperating with the Criminal Division, Cybercrime Unit, and cybersecurity firm SlowMist. The platform is freezing positions based on pre-attack snapshots and has promised user compensation plans, while also attempting direct on-chain communication with the attacker.

Curiously, KiloEx took the opportunity to address “rumors suggesting KiloEx may have been involved in the hack,” despite the fact that such suspicions were not prominent until the platform brought them up. This move has raised questions about whether they unintentionally invited speculation about an insider threat.

KiloEx confirmed that they had undergone five audits since June 2023. However, these assessments failed to prevent the exploit.

The most recent audit, conducted by ScaleBit in March 2025, offered a response that sidestepped responsibility. The firm stated they were “deeply saddened” by the incident but noted that “the root cause falls outside the scope of our audit.”

This raises critical concerns about audit standards. If a security audit does not account for vulnerabilities in something as fundamental as Oracle access control, what exactly is its purpose?

KiloEx now joins the long list of protocols brought down by oracle manipulation, a classic vulnerability that continues to exploit the DeFi space's weakest links.

Despite deploying on Base, BNB Chain, Taiko, and opBNB, KiloEx left its MinimalForwarder completely exposed, giving attackers direct access to $7.5 million in user funds. This was not a sophisticated hack, just a basic failure in access control that could have been prevented.

The team prioritized expansion over security, and it showed. Five audits since June 2023 failed to catch the flaw that ultimately drained the protocol. The result was a sprawling multi-chain rollout built on a compromised foundation.

Users are not interested in retroactive fixes or apologetic audit statements. They care about protocols that take security seriously from day one. When your MinimalForwarder becomes the doorway to a full treasury drain, no amount of post-mortem analysis or PR cleanup will restore trust.

Thank you for reading our latest Crypto Hack story.
Like, Subscribe and Share for more crypto hack content below.

TL;DR

PancakeSwap’s proposal to retire the veCAKE model sparked significant backlash from the community. Critics cited governance centralization, suspicious large-scale CAKE lockups, and weakened token utility. Despite community-suggested alternatives, the team pushed forward. The debate underscores broader concerns about DeFi governance integrity and the centralization risks within protocol-led tokenomic changes.

On April 8, 2025, PancakeSwap unveiled its latest governance overhaul — "Tokenomics Proposal 3.0" — promising "True Ownership." However, this proposal has triggered concerns across the DeFi community, as it seeks to dismantle veCAKE, the very system that once empowered long-term token holders with governance influence.

Twitter tweet

What’s causing alarm isn’t just the proposal itself, but the timing and mechanics surrounding it. In the days leading up to the vote, several wallet addresses locked in close to 50% of the total CAKE supply, effectively positioning themselves to control the outcome.

This massive accumulation raises serious questions about decentralization and whether PancakeSwap’s governance model is being undermined from within.

Projects deeply integrated into PancakeSwap’s ecosystem now face an uncertain future. Notably, Cakepie — a protocol that locked around 13 million CAKE via a liquid staking wrapper — could be rendered obsolete. These wrappers allow users to stake long-term without losing liquidity, mirroring the model used by Convex on Curve.

Ironically, those building innovative tools to strengthen PancakeSwap’s long-term growth may now be the first casualties of its so-called evolution. As the platform shifts toward a streamlined governance model, builders are left questioning whether DeFi’s promise of permissionless innovation is being replaced by centralized decision-making masked as progress.

The governance landscape at PancakeSwap has entered a volatile new chapter.

With Tokenomics Proposal 3.0, the protocol is targeting the elimination of veCAKE, a core mechanism designed to safeguard the protocol from whale manipulation and give long-term stakers real influence. Yet, the proposal arrived without any prior consultation with stakeholders or warnings issued to the builders most affected by it.

Adding fuel to the fire, just before the proposal was revealed, a newly active wallet locked a massive amount of CAKE, strategically split across multiple fresh addresses.

This sudden move positioned the holder to significantly sway the outcome of the proposal. In stark contrast to long-term veCAKE stakers who committed for years, these newly minted “governance mercenaries” could exit the system immediately once the vote passes.

This power play threatens not just token holders but entire ecosystems. Cakepie, which has approximately 13 million CAKE locked via its liquid staking wrapper, is now staring down a potential collapse — a protocol-ending risk for a team that built on the assumption of long-term governance stability.

PancakeSwap frames the move as a push toward “flexibility” and “sustainable growth.” But the timing of the wallet activity, the absence of community dialogue, and the systematic removal of governance rights paint a far more troubling picture.

With the vote yet to begin, tension is rising and backlash is intensifying. If governance itself becomes the battlefield, the question remains: is this evolution — or a hostile takeover?

Mercenary Voting: A Threat to Governance Integrity

PancakeSwap’s veCAKE model was built on a foundational principle: governance power should be earned through long-term commitment, not short-term opportunism.

By locking CAKE for extended periods, users weren’t just rewarded with yield — they were entrusted with influence, symbolizing alignment with the protocol’s long-term vision.

But that principle is now under siege.

In the days leading up to the Tokenomics Proposal 3.0, a single address locked nearly 50% of the entire CAKE supply distributed across multiple fresh wallets, a move likely designed to evade scrutiny.

This sudden concentration of power contradicts the very spirit of veCAKE, introducing what many are calling a “mercenary voter” into the system.

The address in question — 0xd183f2bbf8b28d9fec8367cb06fe72b88778c86b — has raised significant red flags. On-chain analysis conducted by Juapia, a long-time PancakeSwap ambassador, traced this wallet back to a more alarming source.

Its first transaction came from:
0x655E2488E1f116bE4020DC37AEbf9895e074c33E

A suspicious transfer linked to transaction:
0xedd0305fa4d8941be31aa3b69d36d05c514262b1092dc876da3763a879a7764f

— which itself was originally funded by a known PancakeSwap treasury wallet:
0x7122C91049511b58A14Ce2CE10f1aCF318cc51d0.

This link was confirmed via a historic post from PancakeSwap, identifying the treasury address as legitimate.

Juapia sounded the alarm: “It is not a simple whale.” The evidence suggests this wallet may be acting with privileged insight or insider alignment, and is now poised to become the decisive voting bloc capable of dismantling veCAKE.

Perhaps the most concerning aspect: if Proposal 3.0 passes, the locked tokens behind this governance blitz could be immediately unlocked — allowing the orchestrator to exit with zero repercussions, while the rest of the community deals with the fallout.

This episode underscores a chilling reality: when the rules of governance themselves can be rewritten through governance, the door opens to manipulation by those who can afford to buy control.

Collateral Damage: Builders Left in the Dark

Cakepie didn’t expect to become the cautionary tale for decentralized governance. Yet, in the wake of PancakeSwap’s Tokenomics Proposal 3.0, that’s exactly what has happened.

For over a year, Cakepie has been the largest veCAKE holder, locking 13 million CAKE for four years — not for speculation, but to build infrastructure, drive liquidity, and enhance yield strategies for PancakeSwap users.

Twitter tweet

Their model mirrors Convex’s relationship with Curve: users deposit CAKE and receive mCAKE, a liquid alternative, while Cakepie’s CKP token handles the governance layer. The outcome was a win-win — liquidity for users, directional influence for the protocol.

That carefully built model now stands on the edge of collapse.

“We were blindsided,” Cakepie said after learning about the proposal with the rest of the community. “After our continuous support and consistent contributions, this abrupt shift feels deeply misaligned with the mutual trust we’ve worked hard to establish.”

Dondon, a leading figure at Cakepie, was more direct: “The big PancakeSwap mistake is happening. They built a protocol based on freedom to create, and now they’re pulling the rug on the very builders they empowered. Is this DeFi? No. This is betrayal.”

Stake DAO, another key ecosystem participant, finds itself in a similar bind. With more than $500,000 locked through their sdCAKE system, the team now questions the direction PancakeSwap is heading. They voiced “deep concerns” about a proposal that “goes in the opposite direction from PancakeSwap’s development over the past year.”

Twitter tweet

Stake DAO has called on PancakeSwap’s core contributors — referred to as “the Kitchen” — to reconsider the proposal entirely or, at minimum, offer a fair compensation framework to affected parties.

These aren’t just passive investors. They’re protocol-layer builders who committed both capital and development resources based on PancakeSwap’s invitation to build atop veCAKE. They didn’t gamble — they aligned long-term, exactly as the system asked.

Now, with the rules changing overnight, those very commitments are being punished.

The proposal promises “True Ownership,” but raises an uncomfortable question: ownership of what? A token stripped of its governance rights? A “community-focused” protocol that just sidelined its most loyal contributors?

Even Michael Egorov, the architect behind Curve Finance’s ve-tokenomics model, weighed in with a stark warning: “ve-tokenomics reason to exist is to prevent governance attacks, making decision makers take long-term responsibility over their actions… Upgradability is a bug. Don’t make your veGovernance upgradable, especially the lock part.”

In crypto, the ethos has always been that code is law, and long-term alignment deserves reward. But when a DAO changes fundamental rules without warning, the very idea of decentralization comes under threat.

Deflationary Growth or Governance Gutting?

Tokenomics Proposal 3.0 arrives wrapped in glossy language — "flexibility," "sustainability," "long-term success." But beneath the surface, it reads more like a systematic dismantling of PancakeSwap’s existing governance structure.

A closer examination strips away the euphemisms.

The proposal states that “veCAKE and Gauges Voting System will be retired.” In plain terms, those who locked CAKE for years, based on the promise of governance power, will lose that voice entirely. Long-term alignment, the cornerstone of ve-tokenomics, would be rendered meaningless.

It continues: “All staked CAKE will be unlocked with no penalties.” On the surface, this might sound fair. But in practice, it grants exit liquidity to short-term actors while undercutting those who committed to the ecosystem for years, especially protocols that built their models around long-term staking.

Then there's “reducing emissions from ~40,000 CAKE to ~22,250 CAKE per day.” This sounds like a move toward deflation, but without clarity on distribution, it's simply fewer rewards, likely funneled through centralized channels.

More striking is the removal of core utility: “Future IFO and TGE participation will not require CAKE staking.” This move strips away one of the last incentives for locking CAKE, effectively transforming the token from a governance and utility asset into a passive instrument.

And finally, the most concerning line: “The PancakeSwap team will directly manage emissions” using “real-time data.” In effect, the Kitchen team replaces decentralized decision-making with centralized control, undermining the entire premise of token-holder governance.

Forum contributor AtuIA summarized it clearly: “So what exactly is this Tokenomics 3.0? From what I read, 95% of the content focuses on removing the old tokenomics model. Meanwhile, the part about the new tokenomics is either vaguely mentioned as ‘easier and more efficient’ or not mentioned at all... Isn’t this like wanting to tear down the old house immediately while having no clear design or preparation for the new one?”

The proposal claims progress, but it offers no clear plan for what comes next. Removing the foundation risks toppling the entire structure that PancakeSwap’s community helped build.

Gamified Tokenomics or Centralized Cleanup?

The PancakeSwap team argues that the veCAKE system has become “too complex” and that it “allocates rewards inefficiently.” At a glance, this critique is somewhat true.

Prior to the controversial CAKE lock-up, protocols like Cakepie had amassed close to 50% of all voting power.

Twitter tweet

By leveraging this influence, they directed a significant share of emissions toward pools that often lacked sufficient trading volume, extracting more value than they arguably generated.

Head Chef Philip put it bluntly: “Numbers never lie. Some pools extract value from $CAKE holders without adding much value.”

But instead of refining the system — implementing emission caps, tightening efficiency metrics, or enforcing penalties for underperformance — PancakeSwap chose a scorched-earth response: eliminate veCAKE entirely.

Prominent voices in the community have pushed back. Hubert, a long-time contributor, pointed out the overreaction: “The solution is not to deprecate the very good veCAKE model... Just stop giving 25% of emissions to Magpie.”

Kuwada echoed concerns about PancakeSwap's long-term credibility: “If PancakeSwap releases v4 next, will there be any promising projects willing to build on it, trusting PCS again? With Uniswap available, why would anyone choose PCS?”

Reasonable alternatives existed: caps on emissions for low-efficiency pools, realigned incentives that reward volume, not just influence, and exit options with penalties to discourage mercenary governance.

Yet the community’s suggestions were sidelined. The result? A “solution” that solves inefficiency by replacing decentralization with centralized control.

The message rings clear: when tokenomics are gamed, PancakeSwap’s fix isn’t dialogue or design iteration — it’s complete structural overhaul, with power consolidated at the core.

Is this a response to inefficiency, or a rebrand of centralization dressed in the language of reform?

The Kitchen’s Defense or Strategic Silence?

Amid growing backlash, PancakeSwap released a blog post addressing community concerns, or at least appearing to.

The post answered nine curated questions but conspicuously avoided the one issue at the heart of the controversy: the massive and sudden CAKE lock-up that now dominates voting power.

On Twitter, PancakeSwap’s Head Chef offered a vague reassurance: “We’re happy to see CAKE community members actively participating in the ecosystem,” referring to the newly locked CAKE. But the statement ignored the suspicious origins of those addresses, leaving a deeper question unresolved: who’s actually behind the vote?

Twitter tweet

Critics were quick to respond. “Given that half the user base faces geo-restrictions from participating in the TGE, how can PancakeSwap claim to be truly decentralized?” asked community member Marco Polo.

The reply that the TGE is merely a Binance Wallet partnership and IFOs will become “more accessible” felt like sidestepping rather than accountability.

Even when asked whether veCAKE would remain active during the vote, the answer was a simple “yes” — effectively cementing the influence of the sudden whale wallets without investigation.

Technical clarifications fared no better. The blog admitted the 4% annual deflation target wasn’t guaranteed — it was based on past trading volume and could easily miss its mark if conditions changed. Meanwhile, community proposals offering balanced alternatives like capped emissions and penalty-based exits were acknowledged, then summarily ignored.

When the only official response to allegations of governance manipulation is a controlled FAQ that dodges the core issue, it raises a sobering question:

Is this decentralized governance — or just centralized control wrapped in the language of community?

Governance wars don’t spill blood, but they do erode trust. PancakeSwap now stands at a crossroads: uphold its decentralized foundation or continue down a path that concentrates control in the hands of a few.

So far, the team appears to be choosing the latter. Carefully worded proposals and FAQ pages are doing little to obscure the reality laid bare on-chain: a coordinated lock-up of nearly half the veCAKE supply by newly activated wallets, timed precisely to influence a proposal that would eliminate veCAKE’s very premise, long-term commitment.

Grimmace from Cakepie summed it up succinctly: “Kitchen’s goal is for CAKE deflation and improved reward efficiency. Cakepie is definitely glad to help, and I believe this could be done through different mechanisms rather than just killing veCAKE directly.”

If price stability is the primary concern, why inject 79 million unlocked CAKE into circulation while dismantling the lock-in mechanism designed to reduce sell pressure? As user Bethoveen noted, “Burns alone cannot keep up with this influx, not in the short term nor over several years.”

Community sentiment offers no ambiguity. According to Marco Polo’s tally, roughly 75% of unique users criticized the proposal, while fewer than 20% voiced support. His question cuts to the heart of the matter: “Was this community discussion meant to listen, or just a box to tick off while a quiet 25M vote block waits in the shadows to force approval?”

Twitter tweet

Michael Egorov’s reminder resonates across the DeFi landscape: “Upgradability is a bug” when applied to governance commitments. His symbolic move to re-lock all veCRV positions for four years offers a stark contrast to PancakeSwap’s current trajectory.

Importantly, this remains a proposal, not yet policy. There is still room to recalibrate. PancakeSwap has the opportunity to respond to the overwhelming community feedback, engage meaningfully with ecosystem stakeholders, and design a governance model that balances long-term sustainability with fair representation.

The broader takeaway is clear: in DeFi, governance is only as resilient as its ability to resist manipulation by those closest to the controls.

This proposal might yet become a turning point, a reminder that decentralization must be defended, not just declared. And in the strong, unified pushback from the community, there is a glimmer of hope that the next era of DeFi governance will be shaped not by quiet consolidations of power, but by the conviction of those who still believe in its founding ideals.

Thank you for reading our latest Crypto Hack story.
Like, Subscribe and Share for more crypto hack content below.

TL;DR

UPCX suffered a $70 million exploit after an attacker gained unauthorized access and upgraded its ProxyAdmin contract, draining funds from management accounts. The platform suspended operations and confirmed user assets remain safe. UPC’s token fell 7%, and investigations continue as experts link the breach to weak access controls and admin privileges.

A serious security breach has rocked UPCX, an open-source payment platform, resulting in the loss of approximately $70 million worth of digital assets. The incident, confirmed through a security alert on April 1, involved unauthorized access that enabled a malicious actor to withdraw millions in tokens.

The blockchain security firm Cyvers was among the first to flag the suspicious activity, identifying a total of 18.4 million UPC tokens being moved. According to their assessment, the total value of the compromised funds is estimated at $70 million.

Twitter tweet

Investigations reveal that the attacker gained control of a UPCX address and proceeded to upgrade its ProxyAdmin contract. This change gave them administrative privileges, which were then used to trigger a withdrawal function. As a result, funds were drained from three separate management accounts.

At the time of reporting, the stolen tokens have not yet been exchanged for other cryptocurrencies, leaving their next move uncertain. UPCX has temporarily halted its operations as internal investigations are underway, and the team has not yet issued an official statement in response to inquiries.

Following the breach, UPCX confirmed that it had identified "unauthorized activity" impacting its internal management accounts. In response, the platform immediately suspended all deposits and withdrawals to prevent further damage.

Twitter tweet

The team reassured users that their personal assets remained secure and unaffected by the incident, while also emphasizing that a full investigation is currently in progress.

The market reacted swiftly to the news. According to data from CoinGecko, the price of UPC’s token declined by 7%, dropping from a high of $4.06 to a low of $3.77 during the period of the exploit.

Coingecko

Blockchain security firm Cyvers continues to monitor the situation closely. In a statement to Cointelegraph, Meir Dolev, co-founder and chief technology officer at Cyvers, noted that the specific method used in the attack is still under investigation.

However, he pointed out that similar incidents in the past have commonly been linked to compromised credentials or weaknesses in access control systems.

Dolev highlighted that such vulnerabilities have been the leading cause of Web3-related financial losses in 2024, contributing to over 80% of the funds stolen this year.

He explained that the attack on UPCX follows a familiar pattern, where unauthorized access to core administrative privileges is used to initiate malicious contract upgrades and siphon funds.

“This incident mirrors attack patterns we’ve documented in prior exploits, where access to critical administrative roles enabled malicious upgrades and fund drainage,” Dolev said.

The breach has reignited concerns about smart contract security across the crypto space. Dolev stressed the importance of strengthening protections around wallet permissions, implementing robust multisignature solutions, and enforcing real-time transaction validation.

With $70 million lost in this single incident, April’s total already surpasses the $33 million stolen throughout March.

Total Hack losses in March by PeckShield

The escalating trend in Web3 exploits raises pressing questions about how platforms can reinforce their defenses moving forward.

The UPCX breach reminds us of ongoing security challenges in the Web3 space. Although the platform acted quickly to contain the damage and assured users their assets were safe, the $70 million loss and 7% drop in token value reflect a serious hit to user confidence.

As investigations continue, the incident highlights the urgent need for stronger access controls, better wallet permission systems, and more robust multisig security. UPCX’s response and recovery will not only shape its future but also influence how the broader industry addresses smart contract vulnerabilities moving forward.

Thank you for reading our latest Crypto Hack story.
Like, Subscribe and Share for more crypto hack content below.