Analysts at CertiK Alert have reported a breach of the Alex Labs DeFi platform on the Bitcoin network, resulting in losses of approximately $4.3 million.
We have seen a suspicious transaction affecting @ALEXLabBTC
Initial evidence points to a possible private key compromise.
Deployer of 0xb3955302E58FFFdf2da247E999Cd9755f652b13b upgrades to a suspicious implementation.
In total ~$4.3m worth of assets have… pic.twitter.com/02kiw2dFrm
— CertiK Alert (@CertiKAlert) May 14, 2024
Experts suspect a possible private key leak.
According to on-chain data, the incident occurred following updates to the Bridge Endpoint contract on the BNB Chain. Subsequently, an unknown party withdrew 16 BTC, 3.3 million USDC, and 2.7 million Sugar Kingdom Odyssey (SKO) from the protocol’s bridge.
The update operation call effectively changed the implementation address to an unverified bytecode, making this change inconspicuous at first glance.
The hacker’s address created two unverified contracts on May 10 and another two on May 14. Prior to this, the wallet showed no activity.
Following the commencement of updates, the proxy address of the bridge contract called an unverified function of another account, resulting in the funds being transferred to the perpetrator’s wallet.
Analysts believe the attacker may have attempted to target the protocol in other networks, as contract updates for Alex Labs were also initiated on Ethereum.
Representatives of the DeFi project confirmed the breach of the XLink bridge. The team reported collaborating with multiple exchanges and successfully freezing a portion of the stolen funds.
ALEX Security Update
We want to update our community about a recent exploit involving the XLink bridge. We are actively collaborating with exchanges, partners, and ecosystem contributors to address the situation. A significant amount of the funds associated with the hacker has…
— ᛤ ALEX ? THE Finance Layer on Bitcoin ᛤᛤᛤ (@ALEXLabBTC) May 15, 2024
Alex Labs also stated that they have identified the hacker’s identity and offered a 10% reward for the return of the assets by May 18.
Earlier on May 14, the perpetrator began siphoning funds from traders on the decentralized exchange Equalizer, stealing tokens worth tens of thousands of dollars.
Previously, on-chain researcher ZachXBT reported a probable hack of the Bahrain-based cryptocurrency exchange Rain, amounting to $14.8 million.