The crypto world is facing a concerning situation as the Alex protocol, a popular Bitcoin layer-2 protocol known for its decentralized finance applications, has fallen victim to a $4.3 million hack. The incident, as revealed by the Certik blockchain security platform, occurred through suspicious withdrawals on the BNB Smart Chain network right after the protocol’s contract received an unexpected upgrade.
Upon examining the blockchain data, it was discovered that the Alex deployer account carried out five identical upgrades to the “Bridge Endpoint” contract on the BNB Smart Chain, initiating the exploit at around 3:56 pm UTC on May 14th. As a result, an astonishing $4.3 million worth of Binance-pegged Bitcoin, USDC, and Sugar Kingdom Odyssey (SKO) tokens were stolen from the bridge’s BNB Smart Chain side.
During the transaction upgrade, the implementation address was changed to an unverified bytecode, which proved to be incomprehensible to human analysts. Simultaneously, the proxy address for the bridge contract was unblocked, allowing for the transfer of 16 BTC ($983,000 at current prices) to another address. Consequently, at 4:44 pm, a total of 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC were moved to the address at 484E.
The attacker may attempt to withdraw the stolen funds from various networks, posing a potential cross-chain threat. Following the BNB Smart Chain exploit, a similar series of Alex upgrades occurred on the Ethereum network. In this instance, the deployer upgraded the “artist address” to an unverified contract. Subsequently, an unidentified account attempted to withdraw funds from the “team address” twice but received a “not owner” error.
The Alex Bridge breach is the latest in a series of attacks that have plagued the decentralized finance ecosystem this month. On May 13th, the decentralized exchange Equalizer publicly disclosed the loss of over 2,000 of its native tokens, stolen by an attacker in small increments over several days. Similarly, the Gnus AI hack on May 6th resulted in a loss of $1.27 million.
