Alex Bridge on BNB Smart Chain Drains $4.3M After Suspicious Update – CertiK
According to a May 14 report by blockchain security platform CertiK, the Alex Protocol bridge on the BNB Smart Chain network spent $4.3 million in suspicious funds after its contract was suddenly updated.
Alex is the Bitcoin Layer-2 protocol. According to the official website, it offers decentralized financial applications on Bitcoin. Its bridges are used to transfer assets from other networks such as BNB Smart Chain and Ethereum to its own network.
Blockchain data confirms that Alex's account has made five identical updates to the “Bridge Endpoint” contract on the BNB Smart Chain since 3:56 pm UTC. An estimated $4.3 million worth of Binance-Pegged Bitcoin (BTC), USD Coin (USDC) and Sugar Kingdom Odyssey (SKO) has been removed from the BNB Smart Chain side of the bridge.
Since the modification was performed by the protocol's deployer account, CertiK flagged the event as a “probable private key compromise.”
The update transaction changed the execution address to one ending at 7058. The new implementation is unverified byte code, which makes it unreadable by humans.
48 minutes after these updates started, the bridge contract called an unauthenticated function on a proxy address ending in 4848E. That's 16 BTC ($983,000 at current prices), 2.7 million SKO ($75,000) and $3.3 million USD at 4:44 PM at address 484E.
The attacker may be trying to extort money on other networks. At 5:41 pm, a few minutes after a suspicious update on the BNB Smart Chain, a similar series of Alex updates occurred on Ethereum. In this case, the deployer has updated the “artist address” to an unconfirmed contract. Immediately after, an account ending in 05ed attempted to withdraw two funds from a “group address”. These withdrawals failed, causing a “not owned” error.
The 05ed account had no history prior to May 10. It created one unverified contract on May 10 and two more on May 14, indicating that it may be under the control of a malicious user.
At the time of publication, Alex's team did not confirm the exploit or comment on the incident.
Alex's bridge wasn't the only protocol to face a potential exploit in May. On May 13, decentralized exchange Equirator announced that it had lost more than 2,000 of its tokens to an attacker who had sunk in a few increments over several days. The May 6 hack of Gnus.ai resulted in a loss of $1.27 million.
Related: CertiK Finds $5M Security Flaw in Wormhole Bridge on Aptos