Major Losses for Alex Protocol Following Security Breach
On June 6th, the Alex Protocol, a Bitcoin Decentralized Finance (DeFi) platform operating on the Stacks blockchain, experienced a significant security breach, resulting in approximately $8.3 million in digital asset losses.
According to an announcement from Alex Protocol, the incident stemmed from a vulnerability in the self-registration verification system. An attacker exploited this flaw to drain liquidity from various asset pools.
The breach allowed the attacker to steal a total of 149,850 Bitcoin and 2.8 Wrapped Bitcoin (WBTC), along with around 8.4 million Stacks (STX) tokens, 21.85 Stacks Bitcoin (SBTC), USDC, and USDT. This has been marked as one of the largest exploits within the Stacks ecosystem to date.
In reaction to the incident, the Alex Lab Foundation, which supports the protocol, has committed to utilizing its Treasury Reserve to fully reimburse affected users.
Efforts to reach the Alex Protocol for additional comments via their X account were unsuccessful prior to publication.
Refund Process for Affected Users
The Alex Lab indicated that compensation will be provided in the form of USDC tokens. The calculations for refunds will be based on the average on-chain exchange rate calculated between 10 AM and 2 PM UTC on the day the incident occurred.
Affected wallets were to receive notifications on-chain by June 8th, which would include personalized billing forms. Users must complete these forms and submit their incoming wallet addresses by June 10th.
The team confirmed that claims would be reviewed and stated they aim to distribute USDC payments within a week. Users who do not receive the form are encouraged to contact the team via email.
While specific technical details regarding the exploit haven’t been disclosed, a post-mortem report is expected to follow.
Previous Incidents in May 2024
This isn’t the first time Alex Protocol faced a significant security incident. In May 2024, the platform also fell victim to exploits related to its cross-chain bridge infrastructure, resulting in the unauthorized withdrawal of $4.3 million in cryptocurrency.
The Defi protocol linked the May incident to the North Korean cybercrime group Lazarus. The team had worked alongside blockchain analyst ZachxBT to trace the stolen assets to three wallets utilized during the attack.
