In a recent report by CertiK, it has been revealed that the Alex protocol bridge on the BNB Smart Chain network experienced suspicious withdrawals amounting to $4.3 million right after its contract was unexpectedly upgraded.
Alex is a layer-2 protocol for Bitcoin that offers decentralized finance applications on the Bitcoin network. The protocol utilizes bridges to transfer assets from other networks like BNB Smart Chain and Ethereum to its own network.
Blockchain data confirms that the Alex deployer account executed five identical upgrades to the “Bridge Endpoint” contract on BNB Smart Chain starting at 3:56 pm UTC. Subsequently, approximately $4.3 million worth of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) were withdrawn from the BNB Smart Chain side of the bridge.
CertiK has categorized this event as a “possible private key compromise” since the upgrade was carried out by the protocol’s deployer account.
The upgrade transaction modified the implementation address to one ending in 7058. The new implementation consists of unverified bytecode, making it illegible to humans.
Around 48 minutes after the commencement of these upgrades, the proxy address for the bridge contract called an unverified function on an address ending in 4848E. As a result, 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC were transferred to the address at 484E at 4:44 pm.
It is suspected that the attacker may also be attempting to drain funds on other networks. Just minutes after the suspicious upgrade on BNB Smart Chain, a similar series of Alex upgrades occurred on Ethereum at 5:41 pm. In this instance, the deployer upgraded the “artist address” to an unverified contract. Shortly after, an account ending in 05ed attempted to make two withdrawals from the “team address,” but these withdrawals failed, resulting in a “not owner” error.
The 05ed account had no previous history prior to May 10. It created one unverified contract on May 10 and two more on May 14, indicating that it may be under the control of a malicious user.
As of now, the Alex team has not confirmed the occurrence of the exploit or provided any comments on the incident.
It is worth noting that the Alex bridge is not the only protocol that faced a potential exploit in May. On May 13, decentralized exchange Equalizer disclosed that it lost over 2,000 of its own tokens to an attacker who gradually siphoned them away over several days. Additionally, the Gnus.ai hack on May 6 resulted in losses amounting to $1.27 million.
Related: CertiK uncovers $5M security flaw in Wormhole bridge on Aptos