How severe is multi-signature control loss? How to control the protocol's lifeline?

JonasJonas
/Sep 25, 2025
How severe is multi-signature control loss? How to control the protocol's lifeline?

Key Takeaways

• UXLINK’s hack stemmed from a leaked signer key, not a smart contract bug

• Hot wallets are vulnerable—teams should mandate hardware wallets for multi-sig

• Distribute signers across locations, devices, and backups to prevent single points of failure

• Enforce identity confidentiality and establish cross-verification to prevent phishing

• Rotate signers regularly and conduct recovery drills to build operational resilience

Recalling the astonishing $1.5 billion Bybit theft case, do you still feel a chill down your spine?

Multi-signature might not be something that novices and retail investors encounter often. However, after so many protocols have been stolen, project teams should realize how important the secure management of multi-signature operations is. A few days ago, a project called UXLINK also suffered asset theft and token market value evaporation due to multi-signature permission loss. Although the attack method has little to do with the Bybit theft incident, this once again served as a warning to project parties.

So what happened?

In the early morning of the 23rd, an address called the "delegateCall" function to remove the administrator role and add its own address as a multi-signature address, and set the multi-signature threshold to 1, which means that multi-signature operations only require the hacker's own consent—now the entire project's fund security is virtually non-existent.

Then the hacker carried out a series of money-making operations:

  • Transferred all project funds, approximately $10 million
  • Minted an additional 1 billion tokens
  • "Dumped" the newly issued tokens, significantly reducing liquidity on CEX and DEX exchanges.

Even more outrageous, the hacker was also "hacked," and the newly minted tokens were intercepted by the old phishing group Inferno Drainer using phishing techniques, seizing over 500 million $UXLINK.

Currently, the UXLINK team has partnered with multiple security teams and jointly frozen some of the stolen assets with CEXs, preparing for a token contract replacement.

How to manage team multi-signatures?

According to @evilcos, the root cause of this incident is very simple: the private key of a multi-signature member was leaked.

In other words, no matter how perfect the multi-signature contract design is, if the signers themselves cannot keep their keys, it is equivalent to leaving the door wide open. So what should the team do?

Discipline One: Physical isolation, no internet connection

Private keys in a hot wallet environment are extremely vulnerable to theft by Trojans, plugins, authorized phishing, etc., so multi-signature private keys not being connected to the internet is the bottom line. Hardware wallets can do this very well: private keys are isolated in the chip, and the entire signing process is completed offline, reducing the probability of leakage.

Project teams should strictly require signers to use hardware wallets for multi-signatures, rather than opting for convenience with browser extensions or mobile wallets.

In addition, the lesson from Bybit also tells us: even the official front-end webpage may not be real; only by using a hardware wallet with multi-signature parsing can "what you see is what you sign" be achieved.

Discipline Two: Extreme dispersion to avoid single points of failure.

Geographical dispersion: Signers must be distributed in different cities and even countries to avoid "annihilation" due to regional disasters or physical attacks.

Technical dispersion: Signers should use hardware wallets from different manufacturers to prevent being wiped out by common vulnerabilities of a single brand.

Backup dispersion: Mnemonic phrases backed up on physical media such as steel plates must be stored separately and in different locations from the hardware wallet itself.

Discipline Three: Traceable processes to reduce human error.

Even the best technology cannot prevent procedural negligence and human weaknesses. Therefore, strict operational procedures are the soul of the security system.

First, identity confidentiality must be strictly enforced, prohibiting the disclosure of the specific identities of multi-signature signers to outsiders, thus preventing team members from becoming "high-value targets" for hackers.

Secondly, establish a robust cross-verification process, stipulating that any large or sensitive operation must be re-verified by at least two members through offline methods such as video calls, checking critical information such as addresses and amounts, as the last manual line of defense against phishing and fraud.

Discipline Four: Regular rotation and drills to prevent problems before they occur.

Private keys are not a one-time solution. If a member leaves or a device is lost, immediate rotation is necessary. Project parties should also regularly practice "lost private key" recovery procedures to ensure that they can quickly fill in when a real incident occurs.

End

Asset security has no rehearsals. Please attach great importance to team multi-signature management and use hardware wallets that support signature parsing.

Secure Your Crypto Journey with OneKey

View details for OneKey ProOneKey Pro

OneKey Pro

Truly wireless. Fully offline. The most advanced air-gapped cold wallet.

View details for OneKey Classic 1SOneKey Classic 1S

OneKey Classic 1S

Ultra-thin. Pocket-ready. Bank-grade secure.

View details for OneKey SifuOneKey Sifu

OneKey Sifu

1-on-1 wallet setup with OneKey Experts.

Keep Reading