"Alex Protocol Bridge on BNB Smart Chain Suffers $4.3 Million Exploit Following Sudden Contract UPGR

According to a report from blockchain security platform CertiK on May 14, the Alex protocol bridge on the BNB Smart Chain network experienced $4.3 million in suspicious withdrawals following a sudden contract upgrade.

Alex is a layer-2 protocol for Bitcoin, offering decentralized finance applications on the Bitcoin network. Its bridges facilitate asset transfers from networks like BNB Smart Chain and Ethereum to its own network.

Blockchain data reveals that the Alex deployer account executed five identical upgrades to the “Bridge Endpoint” contract on BNB Smart Chain starting at 3:56 pm UTC. This resulted in the removal of approximately $4.3 million worth of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) from the BNB Smart Chain side of the bridge.

CertiK suggested that the event might indicate a "possible private key compromise" since the upgrade was conducted by the protocol’s deployer account. The upgrade transaction altered the implementation address to one ending in 7058, which contained unverified bytecode, making it unreadable.

About 48 minutes after these upgrades began, the proxy address for the bridge contract invoked an unverified function on an address ending in 4848E. Consequently, 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC were transferred to the address ending in 484E.

There are indications that the attacker might be targeting funds on other networks. At 5:41 pm, shortly after the suspicious upgrade on BNB Smart Chain, similar upgrades were carried out on Ethereum. In this instance, the deployer upgraded the “artist address” to an unverified contract. Following this, an account ending in 05ed attempted two withdrawals from the “team address,” both of which failed with a “not owner” error.

The 05ed account had no prior activity before May 10, creating one unverified contract on that date and two more on May 14, suggesting it may be controlled by a malicious user.

As of the report's publication, the Alex team has not confirmed the exploit or issued any statements regarding the incident.

The Alex bridge is not the only protocol to face potential exploitation in May. On May 13, decentralized exchange Equalizer reported the loss of over 2,000 tokens due to an attacker siphoning them off in small increments over several days. Additionally, the Gnus.ai hack on May 6 resulted in losses amounting to $1.27 million.