In a recent report from CertiK, a blockchain security platform, it was revealed that the Alex protocol bridge on the BNB Smart Chain network experienced suspicious withdrawals amounting to $4.3 million right after its contract was unexpectedly upgraded.
Alex is a layer-2 protocol for Bitcoin that offers decentralized finance applications on the Bitcoin network, according to its official website. Its bridges allow for the transfer of assets from other networks, such as BNB Smart Chain and Ethereum, to its own network.
Blockchain data confirms that the Alex deployer account executed five identical upgrades to the “Bridge Endpoint” contract on BNB Smart Chain, starting at 3:56 pm UTC. Subsequently, approximately $4.3 million worth of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) were withdrawn from the BNB Smart Chain side of the bridge.
Since the upgrade was carried out by the protocol’s deployer account, CertiK deemed it a “possible private key compromise.”
The upgrade transaction changed the implementation address to one ending in 7058. The new implementation consists of unverified bytecode, rendering it unreadable to humans.
Around 48 minutes after the upgrades began, the proxy address for the bridge contract invoked an unverified function on an address ending in 4848E. This resulted in 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC being transferred to the address at 484E at 4:44 pm.
The attacker may also be attempting to drain funds on other networks. Just minutes after the suspicious upgrade on BNB Smart Chain, similar Alex upgrades occurred on Ethereum at 5:41 pm. In this case, the deployer upgraded the “artist address” to an unverified contract. Immediately after, an account ending in 05ed attempted two withdrawals from the “team address,” but these attempts failed due to a “not owner” error.
The 05ed account had no prior history before May 10. It created one unverified contract on May 10 and two more on May 14, suggesting that it may be controlled by a malicious user.
As of now, the Alex team has not confirmed the exploit or provided any comments on the incident.
The Alex bridge was not the only protocol to face a potential exploit in May. On May 13, the decentralized exchange Equalizer announced that it had lost over 2,000 of its own tokens to an attacker who gradually siphoned them away over several days. Additionally, the Gnus.ai hack on May 6 resulted in losses worth $1.27 million.
CertiK also discovered a $5 million security flaw in the Wormhole bridge on Aptos.