Alex Bridge Incurs $4.3M Loss on BNB Smart Chain

Alex bridge incurs 4.3M loss following a suspicious upgrade that changed its implementation address on BNB Smart Chain.

A report published by blockchain security platform CertiK on May 14 indicates that the Alex protocol bridge connected to the BNB Smart Chain network encountered anomalous withdrawals amounting to $4.3 million shortly after its contract underwent an abrupt upgrade.

Alex is a layer-2 protocol for Bitcoin. Its official website states that it offers decentralized financial applications utilizing Bitcoin. Assets are transferred from other networks, including BNB Smart Chain and Ethereum, to its network via bridges.

According to blockchain data, the Alex deployer account executed five identical revisions to the “Bridge Endpoint” contract on BNB Smart Chain at 3:56 pm UTC. Subsequently, USD Coin USDC tickers decreased by $1.00, and Sugar Kingdom Odyssey (SKO), worth an estimated $4.3 million in Binance-Pegged Bitcoin BTC, was withdrawn from the BNB Smart Chain side of the bridge.

Due to the upgrade being executed by the deployer account of the protocol, CertiK classified the occurrence as “a potential compromise of private keys.” 

The upgrade transaction appended the year 7058 to the implementation address. The unverified bytecode nature of the new implementation renders it unintelligible to human observers.

Approximately forty-eight minutes after these enhancements commenced, the bridge contract’s proxy address invoked an unverified function at an address concluding in 4848E. At 4:44 pm, this led to the transfer of 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000), and $3.3 million worth of USDC to the address 484E.

Additionally, the attacker might be trying to siphon funds from other networks. Moments after the mysterious upgrade on BNB Smart Chain, a series of Alex upgrades of a similar nature transpired on Ethereum at 5:41 pm. The deployer upgraded the “artist address” to an unverified contract. Following that, an account with the last digit 05ed attempted to withdraw funds twice from the “team address.” These unsuccessful withdrawal attempts resulted in a “not owner” error.

Before May 10, the 05ed account had no history. Two additional unverified contracts were generated on May 14, and one was generated on May 10, suggesting that a malicious user may be in control of the system.

The Alex team has not addressed the incident or verified the exploit as of the time of publication.

In May, not only the Alex bridge was susceptible to a potential exploit. Equalizer, a decentralized exchange, disclosed on May 13 that an attacker had siphoned away in tiny increments over more than 2,000 of its tokens over several days. The May 6 breach of Gnus.ai also caused losses totaling $1.27 million.