ALEX Protocol, a DeFi platform constructed on Bitcoin’s Stacks layer, has suffered a second main breach—this time leading to an estimated $14 million loss.
The incident comes simply over a yr after a earlier assault drained $4.3 million through its cross-chain bridge.
Preliminary experiences of suspicious exercise started surfacing on social media, prompting the ALEX workforce to verify a “safety incident.” The mission later adopted up with an in depth autopsy, whereas the official web site stays offline for upkeep.
The exploit stemmed from a flaw in how failed transactions had been dealt with on the Stacks community. The attacker reportedly manipulated the protocol’s lack of ability to correctly confirm transaction failures, utilizing rejected knowledge to falsely authorize fund withdrawals.
Crypto safety agency QuillAudits pegged the harm at round $14 million. Among the many stolen property had been 63.5 items of wrapped Bitcoin variants (aBTC and sBTC). The incident additionally rattled the broader Stacks ecosystem, with the worth of ALEX plunging over 50% and STX—the community’s native token—dropping round 10%.
Confusion briefly surrounded the peg stability of sBTC after knowledge feeds confirmed a deviation in worth. Nevertheless, a Stacks spokesperson clarified that the token stays on-peg when utilizing official oracle knowledge.
Whereas the assault was remoted to ALEX, different initiatives within the Stacks ecosystem responded swiftly. Pontis paused its bridge to safeguard liquidity, and Bitflow eliminated the affected liquidity swimming pools to forestall additional threat.
This isn’t ALEX’s first encounter with a essential vulnerability. In Could final yr, $4.3 million was drained from its XLink bridge, a breach believed to be tied to a compromised personal key. Following that incident, the workforce applied numerous safety upgrades and migrated essential contracts—however clearly, these measures weren’t sufficient to forestall this way more damaging exploit.