Crypto bridge breach costs Alex Protocol $4.3M

An alarming situation for the crypto world has hit the Alex protocol, a Bitcoin layer-2 protocol famous for its decentralized finance applications. A $4.3 million hack has compromised the protocol. According to the latest report by the Certik blockchain security platform, the incident took place through suspicious withdrawals on the BNB Smart Chain network, just […]

CryptoFortress

May 15, 2024 - 11:08

Crypto bridge breach costs Alex Protocol $4.3M

An alarming situation for the crypto world has hit the Alex protocol, a Bitcoin layer-2 protocol famous for its decentralized finance applications. A $4.3 million hack has compromised the protocol. According to the latest report by the Certik blockchain security platform, the incident took place through suspicious withdrawals on the BNB Smart Chain network, just after the protocol’s contract got an unexpected upgrade.

#CertiKInsight ????

We have seen a suspicious transaction affecting @ALEXLabBTC

Initial evidence points to a possible private key compromise.

Deployer of 0xb3955302E58FFFdf2da247E999Cd9755f652b13b upgrades to a suspicious implementation.

In total ~$4.3m worth of assets have… pic.twitter.com/02kiw2dFrm— CertiK Alert (@CertiKAlert) May 14, 2024

Alex Protocol exploit unraveled

Blockchain data corroborates that the Alex deployer account executed five identical upgrades to the “Bridge Endpoint” contract on the BNB Smart Chain, initiating the exploit at approximately 3:56 pm UTC on May 14th. Subsequently, a staggering $4. 3 million Binance-pegged Bitcoin, USDC, and Sugar Kingdom Odyssey (SKO) tokens were taken from the BNB Smart Chain side of the bridge.

The upgrade of the transaction changed the implementation address to the unverified bytecode, which human analysts could not understand. After the upgrades had started, the proxy address for the bridge contract was unblocked another address and thus the 16 BTC ($983,000 at the current prices) was transferred to it. This resulted in 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000) and $3.3 million worth of USDC at 4:44 pm, being moved into the address at 484E.

Potential cross-chain threat

The attacker, unfortunately, may try to withdraw the money from different networks. The occurrence of the BNB Smart Chain exploit was followed by a similar series of Alex upgrades on the Ethereum network, where the deployer upgraded the “artist address” to an unverified contract. After this, an unaccounted-for account tried to withdraw two times from the “team address” and got the “not owner” error.

The Alex Bridge breach is the most recent in a chain of attacks that have been affecting the decentralized finance ecosystem this month. On May 13th, the decentralized exchange Equalizer publicly announced the loss of more than 2,000 of its native tokens because of an attacker stealing them in small amounts over several days. Similarly, the Gnus AI hack on May 6th led to a loss equal to $1.27 million.