UPCX Suspends Trading After $70 Million Hack Exposes Security Flaws

On April 1, 2025, the cryptocurrency payment platform UPCX faced a major shock when it discovered an unauthorized access to its management account, leading to the possible loss of $70 million. This incident not only severely damaged UPCX's reputation but also raised concerns about security.

4/2/20253 min read

Event Background

According to an official announcement from UPCX, the management team discovered “unauthorized activity” involving a key management account on April 1. The platform immediately suspended all deposits and withdrawals to prevent further losses and launched an internal investigation.

Blockchain security firm Cyvers quickly stepped in and determined that the attacker had exploited a vulnerability in the UPCX smart contract. Specifically, the hacker gained control of an admin wallet, modified the ProxyAdmin contract's permissions, and activated the "withdrawByAdmin" function to transfer 18.4 million UPC tokens — worth about $70 million — to a single wallet.

Notably, the stolen tokens remain in the hacker's wallet with no signs of conversion or liquidation, suggesting that the attacker may be biding his time or having difficulty laundering the money.

UPCX assured that user assets were safe and not directly affected by the hack, but the event caused the UPC token price to drop 7%, from $4.06 to $3.77, according to data from CoinGecko.

Event details

The research found that the hack occurred on April 1, 2025, when the hacker gained unauthorized access to the smart contract, possibly through compromised credentials or weak access control mechanisms.

They upgraded the ProxyAdmin contract and implemented the 'withdrawByAdmin' function to withdraw 18.4 million UPC tokens, worth around $70 million at the time.

The first image from Arkham Intelligence shows wallet 0xF7174D64192454382776E21dBF131b2a62B334 on Ethereum, with $73.15 million worth of mostly UPC, and a transfer of 18.473 million UPC ($79.94 million) from address 0x0DDC693972AA473EB2d66A95Cd5ff090 23 hours ago.

The second image from Arkham's Visualizer, labeled "Hacker: UPC (0xF7...)", shows a transaction on April 1, 2025, with 18,473 UPC ($79.937 million) and 1.993 million UPC ($4.211) to address 0x0DDC6309572A4B73EE2d66650AC9B5cd5ff0d0 and staking contracts, suggesting a money laundering attempt.

Impact: UPC token prices fell sharply, initially by 5-7%, from around $4.02-4.06 to $3.52-3.77, according to CoinGecko and CoinMarketCap. UPCX suspended deposits and withdrawals, affecting investor confidence, with hundreds of wallets withdrawing UPCX. The report also found that more than 80% of Web3 losses in 2024 came from similar issues, highlighting the need for improved security.

Surprising details

One notable detail is that the amount of stolen tokens (18.4 million) far exceeds the reported circulating supply (4.14 million), according to CoinMarketCap Academy, raising concerns about UPCX's token distribution or management, with a total supply of 780 million UPC according to the whitepaper. This could indicate a reporting issue or an affected internal reserve.

Cause and security vulnerability analysis

The UPCX hack is a prime example of the risks associated with smart contract security – one of the inherent weaknesses of blockchain platforms.

Similar attacks in 2025 are likely to stem from compromised credentials or weak access controls, according to Meir Dolev, CTO of Cyvers. In the case of UPCX, the fact that hackers were able to modify the ProxyAdmin contract suggests that there may have been a flaw in private key management or that multi-signature authentication was not properly implemented.

UPCX, as an open-source payment platform, relies heavily on the Ethereum ecosystem for smart contract operations. Despite having launched its own mainnet and wallet, this dependency may have made the platform more vulnerable to attacks, especially since wallets manage a large amount of tokens centrally.

Data shows that there were only about 4.14 million UPC tokens in circulation before the hack, while more than 50% of the supply was held by a handful of large wallets, including the development team’s wallet. This raises questions about the transparency and distribution of the project’s tokens, and increases the severity of the incident as the number of stolen tokens far exceeds the actual circulation.

Conclusion and evaluation

The UPCX hack is a stark reminder to cryptocurrency projects of the importance of smart contract security and asset management. Platforms need to invest in regular audits, implement robust multi-signature mechanisms, and monitor transactions in real-time to mitigate risks.

For investors, this event highlights the importance of thoroughly researching a project's security and token distribution before participating.