According to a May 14 report from blockchain security platform CertiK, the Alex protocol bridge on the BNB Smart Chain network suffered $4.3 million in suspicious withdrawals just after its contract was suddenly upgraded.
Alex is a Bitcoin layer-2 protocol. According to its official website, it provides decentralized finance applications on Bitcoin. Its bridges are used to transfer assets from other networks, such as BNB Smart Chain and Ethereum, to its own network.
Blockchain data confirms that the Alex deployer account performed five identical upgrades to the “Bridge Endpoint” contract on BNB Smart Chain beginning at 3:56 pm UTC. Approximately $4.3 million worth of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) were subsequently removed from the BNB Smart Chain side of the bridge.
Because the upgrade was performed by the protocol’s deployer account, CertiK labeled the event “a possible private key compromise.”
The upgrade transaction changed the implementation address to one ending in 7058. The new implementation is unverified bytecode, making it unreadable to human beings.
About 48 minutes after these upgrades began, the proxy address for the bridge contract called an unverified function on an address ending in 4848E. This resulted in 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000) and $3.3 million worth of USDC at 4:44 pm, being moved into the address at 484E.
The attacker may also be attempting to drain funds on other networks. At 5:41 pm, just minutes after the suspicious upgrade on BNB Smart Chain, a similar series of Alex upgrades occurred on Ethereum. In this case, the deployer upgraded the “artist address” to an unverified contract. Immediately afterward, an account ending in 05ed attempted to make two withdrawals from the “team address.” These withdrawals failed, producing a “not owner” error.
The 05ed account had no history before May 10. It created one unverified contract on May 10 and two more on May 14, indicating that it may be under the control of a malicious user.
At the time of publication, the Alex team has not confirmed the exploit or commented on the incident.
The Alex bridge wasn’t the only protocol to face a potential exploit in May. On May 13, decentralized exchange Equalizer announced that it had lost more than 2,000 of its own tokens from an attacker who siphoned them away in small increments over several days. The Gnus.ai hack on May 6 also resulted in $1.27 million worth of losses.
Related: CertiK discovered $5M security flaw in Wormhole bridge on Aptos