Simply over a yr after a suspected non-public key hack, “Bitcoin DeFi” platform ALEX Protocol has been exploited once more, this time with losses estimated at $14 million.
The staff initially introduced a safety incident, following reviews of a hack circulating on X, earlier than later publishing a extra detailed incident report. The challenge’s web site stays “under maintenance.”
Learn extra: Not less than $25M misplaced throughout three incidents in busy day for crypto hackers
The report factors to a difficulty with accurately figuring out failed transactions on Stacks, a DeFi-focused layer two scaling resolution for the Bitcoin community.
This allowed the attacker to bypass checks utilizing knowledge from a failed transaction and withdraw the funds.
The “partial loss of funds” quantities to an estimated $14 million, in response to crypto safety agency QuillAudits.
Amongst the tokens stolen was 63.5 wrapped bitcoin (aBTC and sBTC). Crypto worth monitoring web site CoinGecko reveals sBTC as buying and selling considerably off-peg, although this could be on account of a feed that comes with different tokens, together with ALEX.
A Stacks consultant offered a hyperlink to the DIA Oracle feed, exhibiting sBTC on-peg.
Equally, the worth of Stacks’ STX is down roughly 10% on the day, and the platform’s personal ALEX token is down over 50%.
Different Stacks-based tasks have confirmed that the exploit is contained to the ALEX Protocol, however Pontis has paused its bridge to comprise funds inside the community, and Bitflow, Stacks’ trade aggregator, is eradicating the affected swimming pools from its routes.
Learn extra: Faux crypto pockets in App Retailer for 4 years drained $120K in Stacks
Final Could, in what Certik suspected was a non-public key compromise, $4.3 million was faraway from ALEX Protocol’s XLink bridge connecting the challenge to Binance’s BNB Chain.
Regardless of the safety upgrades and the migration of trade and token contracts that adopted, the adjustments have apparently proved inadequate to forestall right now’s much more expensive assault.
Bought a tip? Ship us an electronic mail securely by way of Protos Leaks. For extra knowledgeable information, comply with us on X, Bluesky, and Google Information, or subscribe to our YouTube channel.
Edit 21:30 UTC, June 6: Up to date piece to mirror confusion round sBTC’s obvious depeg.