According to a May 14 report from blockchain security platform CertiK, the Alex protocol bridge on the BNB smart chain network suffered $4.3 million in suspicious withdrawals shortly after its contracts were suddenly upgraded.
Alex is a Bitcoin layer-2 protocol. According to its official website, it provides decentralized finance applications for Bitcoin. Bridges are used to transfer assets from other networks, such as BNB Smart Chain and Ethereum, to their own network.
Blockchain data confirms that the Alex distributor account has made five identical upgrades to the “bridge endpoint” contract on the BNB smart chain since 3:56 PM UTC. Approximately $4.3 million worth of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) were subsequently removed from the BNB smart chain side of the bridge.
Since the upgrade was performed by a protocol distributor account, CertiK labeled this event “Possible Private Key Compromise.”
The upgrade transaction changed the implementation address to an address ending in 7058. The new implementation is unverified bytecode and therefore not human-readable.
Approximately 48 minutes after the upgrade began, the proxy address in the bridge contract called an unresolved function on an address ending in 4848E. This resulted in 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC being moved to address 484E at 4:44 PM.
Attackers can also try to exfiltrate funds from other networks. A similar series of Alex upgrades occurred on Ethereum at 5:41 PM, just minutes after the suspicious upgrade occurred on the BNB smart chain. In this case, the distributor upgraded the ‘Artist Address’ to an unconfirmed contract. Immediately afterwards, withdrawal attempts were made twice to the ‘team address’ from an account ending in 05ed. These withdrawals failed with a “not the owner” error.
The 05ed account has no history before May 10th. One unconfirmed contract was created on May 10th and two more on May 14th, indicating that they may be under the control of malicious users.
At the time of publication, the Alex team had not confirmed the exploit or commented on the incident.
The Alex bridge wasn’t the only protocol to face a potential attack in May. On May 13, decentralized exchange Equalizer announced that it had lost over 2,000 of its own tokens to an attacker who stole tokens piecemeal over several days. The Gnus.ai hack that occurred on May 6 also resulted in a loss worth $1.27 million.
Related: CertiK discovered a $5 million security flaw in Aptos’ Wormhole bridge.