Bitcoin layer-2 developer, Alex Labs, has successfully frozen over $3.9 million worth of cryptocurrency that was exploited from its BNB Smart Chain bridge, as announced in a social media post on May 16. The attacker had sent the funds to various centralized exchanges (CEXs), enabling them to be frozen with the cooperation of these exchanges.
The team managed to recover the complete balances for 17 different tokens, including “all aBTC, sUSDT, xBTC, xUSD, ALEX, atALEX, LiSTX, LUNR, SKO, CHAX, $B20, ORDG, ORMM, ORNJ, TRIO, TX20, and STXS.” Additionally, $13.7 million worth of Stacks (STX) tokens were also exploited. However, the attacker mistakenly sent approximately 3 million STX tokens to centralized exchanges. A spreadsheet linked in the post reveals the STX balances at each exchange used by the hacker, indicating that $3.7 million is held at exchanges and $9.6 million is held in wallets under the direct control of the attacker.
The attacker gained control of a private key that provided access to one of the bridge’s “vaults” to withdraw the funds. Nonetheless, the team assures that the smart contract code and infrastructure supporting ALEX remained uncompromised.
Alex Labs has offered a 10% bounty to the attacker and promised not to prosecute if they return the remaining 90% of the stolen funds. However, if the attacker does not agree to negotiate, a police report will be filed. As there’s a possibility that not all funds will be recovered, the team is considering utilizing the $ALEX reserves held by ALEX Lab Foundation for a treasury grant program, compensating users who suffered losses in the attack.
Since a significant portion of the exploited funds comprises STX tokens, the team is also contemplating proposing a Stacks network upgrade to freeze the remaining funds and issue new tokens to the victims. Network upgrades to freeze an attacker’s coins have been executed before, such as during the 2016 Ethereum DAO hack and after the PopcornSwap rug pull on the BNB Smart Chain. However, approval for such upgrades is rare, and in the case of the PopcornSwap rug pull, funds were frozen but not reimbursed to investors.
Alex Labs affirms that it continues to monitor the attacker’s addresses and has implemented multiple alarms to prevent the cashing out of the funds.
It’s worth noting that Alex is not the only Bitcoin layer-2 bridge that has recently suffered an attack. On May 17, the XLink bridge was also targeted, resulting in a loss of $10 million. In this instance, a white-hat hacker managed to recover $4.3 million of the stolen funds. The XLink attack mirrored the one against Alex, as the attacker utilized a phishing technique to obtain the team’s private key, which was then employed to make unauthorized withdrawals.