A recent report from CertiK, a blockchain security platform, revealed that the Alex protocol bridge on the BNB Smart Chain network experienced suspicious withdrawals amounting to $4.3 million immediately after its contract was upgraded without warning.
Alex is a layer-2 protocol for Bitcoin that offers decentralized finance applications on the Bitcoin network. Its bridges are utilized to transfer assets from other networks, like BNB Smart Chain and Ethereum, to the Alex network.
Blockchain data verified that the Alex deployer account executed five identical upgrades to the “Bridge Endpoint” contract on the BNB Smart Chain, starting at 3:56 pm UTC. Following these upgrades, approximately $4.3 million worth of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) were withdrawn from the BNB Smart Chain side of the bridge.
CertiK classified this event as a “possible private key compromise” since the upgrade was carried out by the protocol’s deployer account.
The upgrade transaction modified the implementation address to one ending in 7058. The new implementation is encoded in unverified bytecode, rendering it unreadable to humans.
Around 48 minutes after the upgrades began, the proxy address for the bridge contract invoked an unverified function on an address ending in 4848E. As a result, 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC were moved to the address at 484E at 4:44 pm.
The attacker may also be attempting to drain funds on other networks. Just minutes after the suspicious upgrade on BNB Smart Chain, a similar series of Alex upgrades took place on Ethereum at 5:41 pm. In this instance, the deployer upgraded the “artist address” to an unverified contract. Immediately after, an account ending in 05ed tried to make two withdrawals from the “team address,” but these withdrawals failed due to a “not owner” error.
The 05ed account had no previous history before May 10. It created one unverified contract on May 10 and two more on May 14, suggesting that it might be controlled by a malicious user.
As of now, the Alex team has not confirmed the exploit or provided any comment on the incident.
The Alex bridge wasn’t the only protocol to face a potential exploit in May. On May 13, decentralized exchange Equalizer reported a loss of over 2,000 of its own tokens to an attacker who gradually siphoned them away over several days. Additionally, the Gnus.ai hack on May 6 resulted in losses of $1.27 million.
Related: CertiK uncovered a $5 million security flaw in the Wormhole bridge on Aptos.