Bitcoin L2 protocol bridge Alex suffers $4.3M in losses after suspicious upgrades
It is possible that the attacker may have also attempted to drain funds from other networks, CertiK reports.
Share this article
The Alex protocol bridge on the BNB network has experienced $4.3 million in suspicious withdrawals following a sudden contract upgrade, according to a report from blockchain security platform CertiK on May 14.
We have seen a suspicious transaction affecting @ALEXLabBTC
Initial evidence points to a possible private key compromise.
Deployer of 0xb3955302E58FFFdf2da247E999Cd9755f652b13b upgrades to a suspicious implementation.
In total ~$4.3m worth of assets have… pic.twitter.com/02kiw2dFrm
— CertiK Alert (@CertiKAlert) May 14, 2024
The incident, which CertiK labeled as “a possible private key compromise,” has raised concerns about the security of the Bitcoin layer-2 protocol’s bridges. At the time of writing, the team from Alex has yet to confirm the exploit.
Data from BscScan indicates that the Alex deployer initiated five upgrades to the platform’s Bridge Endpoint contract on the BNB Smart Chain. Following these upgrades, approximately $4.3 million worth of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) were removed from the BNB Smart Chain side of the bridge.
The upgrade transaction call effectively changed the implementation address to unverified bytecode, rendering the change inconspicuous to human language.
Further investigation into the 05ed account revealed that it had created one unverified contract on May 10 and two more on May 14, despite having no prior activity. This suspicious behavior suggests that the account may be controlled by a malicious actor attempting to exploit the Alex protocol across multiple networks.
In less than an hour after the upgrades were initiated, the proxy address for the bridge contract called an unverified function on another address, transferring 16 BTC ($983,000), 2.7 million SKO ($75,000), and $3.3 million worth of USDC. Shortly after, an account ending in 05ed, which had no transaction history before May 10, attempted to make two withdrawals from the “team address.” However, these withdrawal attempts failed, triggering a “not owner” error message.
According to CertiK, it is possible that the attacker may have also attempted to drain funds from other networks, given how similar upgrades for the Alex protocol were also seen on Ethereum right after its initial changes.
Share this article
