DeFi Protocol Alex Bridge Hit by $4.3M Exploit on BNB Smart Chain

Why Trust Techopedia
Key Takeaways

  • Alex Bridge, a Bitcoin layer-2 protocol on the BNB Smart Chain, suffered a major exploit leading to a $4.3 million loss.
  • The attackers managed to steal 16 BTC, 2.7 million SKO tokens, and $3.3 million in USDC by altering the "Bridge Endpoint" contract's bytecode.
  • The security breach highlights ongoing vulnerabilities in the DeFi sector, evidenced by multiple recent attacks.

Alex bridge, a decentralized Bitcoin layer-2 protocol, suffered a major exploit of $4.3 million on the BNB Smart Chain network.

On May 14, blockchain security researcher CertiK reported that decentralized finance (DeFi) bridge protocol Alex fell victim to a major exploit on the BNB Smart Chain network, which led to the loss of crypto assets worth $4.3 million.

Suspicious BNB Smart Contract Initiates a $4.3M Loss

As CertiK explained, the incident’s root cause appears to have been a suspicious upgrade to Alex’s “Bridge Endpoint” contract on the BNB Chain.

At around 3:56 PM UTC, the protocol’s deployer account initiated five identical upgrades, changing the contract’s implementation address to unverified bytecode.

Some minutes after 4:44 PM UTC, a series of transactions from the “proxy address 4848E” drained roughly 16 BTC ($983,000), 2.7 million Sugar Kingdom Odyssey (SKO) tokens ($75,000), and $3.3 million in USDC stablecoin from the bridge into an Ethereum address controlled by an unknown party.

CertiK labeled the event as a “possible private key compromise” of the deployer account that carried out the malicious contract upgrades. The new bytecode implementation is unreadable, which hides the intent of the code’s true functionality.

Around the same time as the BNB Smart Chain attack, Alex’s “artist address” contract on the Ethereum network received a similar upgrade. The deployer upgraded the address to an unverified contract. Immediately after the upgrade was completed, an account ending in 05ed attempted to make unauthorized withdrawals from Alex’s team fund, but these transactions failed with an error message “not owner.”

The recent update by the Alex Bridge team claims that the white hacker has helped to recover all the funds from the impacted smart contract. The amount mentioned in reversal transactions coincides with the stolen one ($4.3 million).

Mounting Security Concerns in DeFi

The attack on Alex’s bridge is the latest in a string of security exploits that rocked the DeFi space this month. Earlier this week, Sonne Finance suffered an attack on its smart contract that saw the lending protocol lose $20 million to cyber thieves.

Fortunately, a potential $5 million exploit on the Wormhole cross-chain bridge deployed on the Aptos network was recently averted, thanks to the swift intervention of blockchain security firm CertiK.

CertiK had identified a critical coding flaw that emerged from improperly implementing modifiers in the  MOVE programming language.

After promptly notifying the Wormhole team, a patch was quickly developed and deployed to seal the security loophole before it could be exploited.

A retrospective analysis confirmed no illicit fund transfers occurred due to the vulnerability, and all user balances remained intact. However, the incident underscores the persistent security challenges facing DeFi protocols.

In addition to Alex and the averted Wormhole breach, decentralized exchange Equalizer also fell victim to an exploit, losing over 2,000 tokens to an attacker last week.