Alex bridge, a decentralized Bitcoin layer-2 protocol, suffered a major exploit of $4.3 million on the BNB Smart Chain network.
On May 14, blockchain security researcher CertiK reported that decentralized finance (DeFi) bridge protocol Alex fell victim to a major exploit on the BNB Smart Chain network, which led to the loss of crypto assets worth $4.3 million.
Suspicious BNB Smart Contract Initiates a $4.3M Loss
As CertiK explained, the incident’s root cause appears to have been a suspicious upgrade to Alex’s “Bridge Endpoint” contract on the BNB Chain.
We have seen a suspicious transaction affecting @ALEXLabBTC
Initial evidence points to a possible private key compromise.
Deployer of 0xb3955302E58FFFdf2da247E999Cd9755f652b13b upgrades to a suspicious implementation.
In total ~$4.3m worth of assets have… pic.twitter.com/02kiw2dFrm
— CertiK Alert (@CertiKAlert) May 14, 2024
At around 3:56 PM UTC, the protocol’s deployer account initiated five identical upgrades, changing the contract’s implementation address to unverified bytecode.
Some minutes after 4:44 PM UTC, a series of transactions from the “proxy address 4848E” drained roughly 16 BTC ($983,000), 2.7 million Sugar Kingdom Odyssey (SKO) tokens ($75,000), and $3.3 million in USDC stablecoin from the bridge into an Ethereum address controlled by an unknown party.
CertiK labeled the event as a “possible private key compromise” of the deployer account that carried out the malicious contract upgrades. The new bytecode implementation is unreadable, which hides the intent of the code’s true functionality.
Around the same time as the BNB Smart Chain attack, Alex’s “artist address” contract on the Ethereum network received a similar upgrade. The deployer upgraded the address to an unverified contract. Immediately after the upgrade was completed, an account ending in 05ed attempted to make unauthorized withdrawals from Alex’s team fund, but these transactions failed with an error message “not owner.”
The recent update by the Alex Bridge team claims that the white hacker has helped to recover all the funds from the impacted smart contract. The amount mentioned in reversal transactions coincides with the stolen one ($4.3 million).
Xlink Security Update:
Following our announcement of the security incident at XLink, with the support of a whitehat (at 0x27055ae433e9dcb30f6ebcc1a374cf5cc03c484e), all the assets of Xlink users that were taken by the XLink exploiter from the impacted smart contract on BSC have…
— XLink.btc – Bridges All Bitcoin Layer 2s (@XLinkbtc) May 15, 2024
Mounting Security Concerns in DeFi
The attack on Alex’s bridge is the latest in a string of security exploits that rocked the DeFi space this month. Earlier this week, Sonne Finance suffered an attack on its smart contract that saw the lending protocol lose $20 million to cyber thieves.
Fortunately, a potential $5 million exploit on the Wormhole cross-chain bridge deployed on the Aptos network was recently averted, thanks to the swift intervention of blockchain security firm CertiK.
🚨 CertiK's security research team detected a critical bug in @wormhole, a leading open source bridge for multichain applications.
Discover how an incorrect application of the public(friend) and entry modifiers exposed the blockchain to potential multimillion-dollar exploits by… pic.twitter.com/fOKgT6RaTC
— CertiK (@CertiK) May 13, 2024
CertiK had identified a critical coding flaw that emerged from improperly implementing modifiers in the MOVE programming language.
After promptly notifying the Wormhole team, a patch was quickly developed and deployed to seal the security loophole before it could be exploited.
A retrospective analysis confirmed no illicit fund transfers occurred due to the vulnerability, and all user balances remained intact. However, the incident underscores the persistent security challenges facing DeFi protocols.
In addition to Alex and the averted Wormhole breach, decentralized exchange Equalizer also fell victim to an exploit, losing over 2,000 tokens to an attacker last week.