$4.3 Million Vanishes in Suspicious Alex Bridge Exploit

On May 14, CertiK reported that $4.3 million was withdrawn from the BNB Smart Chain-based Alex protocol bridge after a suspicious contract upgrade. The upgrade, executed by the protocol's deployer account, involved replacing the implementation address with unverified bytecode. Subsequently, funds were transferred to an unknown address, raising concerns about a possible private key compromise.

Alex Bridge Exploited for $4.3 Million in Suspicious Withdrawals

May 14, 2023 - The Alex protocol bridge, a gateway connecting the Bitcoin layer-2 protocol to other networks, has fallen victim to a sophisticated exploit, resulting in the loss of approximately $4.3 million in digital assets.

Blockchain security platform CertiK released a report on May 14, detailing the incident that occurred just hours after the bridge's contract was mysteriously upgraded five times in rapid succession. The upgrades, initiated by the protocol's deployer account, raised immediate concerns of a potential private key compromise.

The new implementation address, ending in 7058, contained unverified bytecode, rendering it indecipherable to human readers. Within an hour of the upgrades, the proxy address for the bridge contract executed an unverified function on an address ending in 4848E. This action triggered the transfer of a substantial amount of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) from the BNB Smart Chain leg of the bridge into the 484E address.

The attacker's motive appears to extend beyond the BNB Smart Chain network. At 5:41 pm UTC, minutes after the exploit on BNB Smart Chain, a similar series of upgrades occurred on Ethereum. The deployer upgraded the "artist address" to an unverified contract, followed by an attempt to withdraw funds from the "team address" by an account ending in 05ed. However, the withdrawal attempts failed, returning a "not owner" error.

The 05ed account, which exhibited no activity before May 10, raised suspicions of malicious intent. Its creation of three unverified contracts within a short period suggested control by a malicious actor.

At the time of this report's publication, the Alex team had yet to confirm the exploit or comment on the incident. The attack marks a growing trend of protocol exploits in the decentralized finance (DeFi) space, with Equalizer and Gnus.ai reporting losses exceeding $3.5 million combined in May alone.

The Alex bridge incident highlights the ongoing security risks associated with DeFi platforms and the need for robust security measures to protect user funds. CertiK's comprehensive investigation underscores the importance of thorough audits and regular security reviews to identify and mitigate potential vulnerabilities.

The incident serves as a stark reminder that the security of DeFi platforms is paramount, and users should exercise due diligence in selecting and interacting with protocols. Developers must prioritize the implementation of rigorous security protocols and transparency to instill trust and confidence among users.