$4.3M Exploited in Alex Protocol Bridge Hack

The Alex protocol bridge on BNB Smart Chain experienced a $4.3 million attack after a suspicious upgrade, per a CertiK report. The upgrade, performed by the protocol's deployer, transferred assets across networks. Similarly, the Alex bridge on Ethereum underwent an upgrade, with an unknown account attempting withdrawals. The Alex team has yet to respond.

Alex Protocol Bridge Hack: $4.3 Million Exploited in Suspicious Withdrawals

On May 14th, the blockchain security platform CertiK reported a major security breach involving the Alex protocol bridge on the BNB Smart Chain network, resulting in malicious withdrawals totaling $4.3 million.

Alex, a Bitcoin layer-2 protocol, facilitates decentralized finance applications on the Bitcoin network. Its bridges serve as gateways for transferring assets between Bitcoin and other blockchain networks, such as BNB Smart Chain and Ethereum.

Blockchain data analysis reveals that the Alex deployer account executed five identical upgrades to the "Bridge Endpoint" contract on BNB Smart Chain starting at 3:56 pm UTC. Following these upgrades, approximately $4.3 million worth of Binance-Pegged Bitcoin (BTCUSD), USD Coin (USDCUSD), and Sugar Kingdom Odyssey (SKO) tokens were siphoned from the bridge's BNB Smart Chain side.

CertiK's investigation suggests that the incident was likely orchestrated through a "possible private key compromise," as the upgrades were initiated by the protocol's deployer account.

The upgrade transaction modified the implementation address to one ending in 7058. This new implementation comprised unverified bytecode, rendering it unreadable to humans.

Approximately 48 minutes after the initiation of these upgrades, the proxy address for the bridge contract invoked an unverified function on an address ending in 4848E. This resulted in the transfer of 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC to the 484E address at 4:44 pm.

The attacker's intentions may extend beyond the BNB Smart Chain network. At 5:41 pm, shortly after the suspicious upgrade on BNB Smart Chain, a similar series of Alex upgrades occurred on Ethereum. In this instance, the deployer upgraded the "artist address" to an unverified contract. Immediately afterward, an account ending in 05ed attempted to withdraw funds from the "team address." However, these withdrawals failed, eliciting a "not owner" error.

The 05ed account, with no prior transaction history before May 10th, has since created three unverified contracts, raising concerns that it might be controlled by a malicious actor.

As of the time of publication, the Alex team has not publicly acknowledged the exploit or provided any official statement regarding the incident.

The Alex bridge hack is not an isolated event. In recent weeks, several other protocols have fallen victim to potential exploits. On May 13th, decentralized exchange Equalizer reported the theft of over 2,000 of its native tokens, which were gradually siphoned off in small increments over several days. Moreover, the Gnus.ai hack on May 6th resulted in losses exceeding $1.27 million.

These incidents highlight the growing prevalence of security breaches in the burgeoning decentralized finance ecosystem. It is imperative that protocol developers prioritize robust security measures and conduct thorough audits to minimize the risk of exploits and protect user funds.