In April 2025, UPCX, an open-source crypto payment platform, was the victim of a hack. The attackers performed an unauthorized withdrawal of 18.4 million UPC tokens worth approximately $70 million from the platform.
Inside the Attack
The root cause of the UPCX hack is likely another compromised private key. The attacker gained access to one of the project’s addresses and took advantage of the privileged associated with it to perform a malicious upgrade to its ProxyAdmin contract.
After performing the malicious smart contract upgrade, the attacker executed the withdrawByAdmin function that was built into the smart contract. This allowed them to drain funds from multiple management accounts for a total of 18.4 million UPC tokens for an estimated $70 million in losses.
After the attack was detected, UPCX acknowledged the incident and temporarily froze deposits and withdrawals on the platform. It also took action to transfer UPC tokens remaining under the control of the project to another address.
Lessons Learned from the Attack
The UPCX hack is likely one of several incidents in 2025 involving the theft and misuse of blockchain private keys. If an attacker gains access to a private key — via social engineering, malware, or other means — they can perform transactions using the associated account and leveraging the privileges assigned to it. In this case, the attacker performed a malicious upgrade, then drained value from the account.
DeFi projects can implement a few security measures to help manage their exposure to this risk. Implementing private key security best practices — such as the use of cold storage and multi-signature or MPC wallets — can reduce the risk that an attacker will be able to access all of the private keys necessary to control a privileged account. In this case, the attacker would have needed to access several keys to perform their malicious upgrade if a multi-sig or MPC wallet had been in place.
These types of attacks occur off-chain and don’t require vulnerabilities in the target smart contract to exploit. This means that traditional smart contract security audits are insufficient to protect against them. DeFi projects also need to implement secure procedures and controls regarding private key security.
Halborn offers a range of security services beyond smart contract audits, including advisory support throughout the full software development lifecycle (SDLC). For help with evaluating, enhancing, or designing your project’s security practices, get in touch with Halborn.