In partnership with

TL;DR

UPCX suffered a $70 million exploit after an attacker gained unauthorized access and upgraded its ProxyAdmin contract, draining funds from management accounts. The platform suspended operations and confirmed user assets remain safe. UPC’s token fell 7%, and investigations continue as experts link the breach to weak access controls and admin privileges.

Sponsor of the Week

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

1. Sign up for The Rundown AI newsletter

2. They send you 5-minute email updates on the latest AI news and how to use it

3. You learn how to become 2x more productive by leveraging AI

Sign up to start learning.

A serious security breach has rocked UPCX, an open-source payment platform, resulting in the loss of approximately $70 million worth of digital assets. The incident, confirmed through a security alert on April 1, involved unauthorized access that enabled a malicious actor to withdraw millions in tokens.

The blockchain security firm Cyvers was among the first to flag the suspicious activity, identifying a total of 18.4 million UPC tokens being moved. According to their assessment, the total value of the compromised funds is estimated at $70 million.

Investigations reveal that the attacker gained control of a UPCX address and proceeded to upgrade its ProxyAdmin contract. This change gave them administrative privileges, which were then used to trigger a withdrawal function. As a result, funds were drained from three separate management accounts.

At the time of reporting, the stolen tokens have not yet been exchanged for other cryptocurrencies, leaving their next move uncertain. UPCX has temporarily halted its operations as internal investigations are underway, and the team has not yet issued an official statement in response to inquiries.

Following the breach, UPCX confirmed that it had identified "unauthorized activity" impacting its internal management accounts. In response, the platform immediately suspended all deposits and withdrawals to prevent further damage.

The team reassured users that their personal assets remained secure and unaffected by the incident, while also emphasizing that a full investigation is currently in progress.

The market reacted swiftly to the news. According to data from CoinGecko, the price of UPC’s token declined by 7%, dropping from a high of $4.06 to a low of $3.77 during the period of the exploit.

Blockchain security firm Cyvers continues to monitor the situation closely. In a statement to Cointelegraph, Meir Dolev, co-founder and chief technology officer at Cyvers, noted that the specific method used in the attack is still under investigation.

However, he pointed out that similar incidents in the past have commonly been linked to compromised credentials or weaknesses in access control systems.

Dolev highlighted that such vulnerabilities have been the leading cause of Web3-related financial losses in 2024, contributing to over 80% of the funds stolen this year.

He explained that the attack on UPCX follows a familiar pattern, where unauthorized access to core administrative privileges is used to initiate malicious contract upgrades and siphon funds.

“This incident mirrors attack patterns we’ve documented in prior exploits, where access to critical administrative roles enabled malicious upgrades and fund drainage,” Dolev said.

The breach has reignited concerns about smart contract security across the crypto space. Dolev stressed the importance of strengthening protections around wallet permissions, implementing robust multisignature solutions, and enforcing real-time transaction validation.

With $70 million lost in this single incident, April’s total already surpasses the $33 million stolen throughout March.

The escalating trend in Web3 exploits raises pressing questions about how platforms can reinforce their defenses moving forward.

The UPCX breach reminds us of ongoing security challenges in the Web3 space. Although the platform acted quickly to contain the damage and assured users their assets were safe, the $70 million loss and 7% drop in token value reflect a serious hit to user confidence.

As investigations continue, the incident highlights the urgent need for stronger access controls, better wallet permission systems, and more robust multisig security. UPCX’s response and recovery will not only shape its future but also influence how the broader industry addresses smart contract vulnerabilities moving forward.