Suspicious $4.3 Million Withdrawal Follows Unexpected Upgrade on Alex Protocol Bridge

A recent security incident has impacted the Alex protocol bridge on the BNB Smart Chain network, resulting in the suspicious withdrawal of $4.3 million. This event occurred shortly after an unexpected update to the bridge’s contract, according to a report from blockchain security platform CertiK dated May 14.

Alex, a Bitcoin layer-2 protocol, facilitates decentralized finance applications by enabling the transfer of assets across various networks, including BNB Smart Chain and Ethereum, to Bitcoin. The incident unfolded when the Alex deployer account initiated five identical updates to the “Bridge Endpoint” contract at 3:56 pm UTC on the BNB Smart Chain. Following these updates, a significant sum of Binance-Pegged Bitcoin, Sugar Kingdom Odyssey (SKO), and funds were removed from the platform.

CertiK has expressed concerns that these withdrawals could result from a private key compromise, given that they were executed from the protocol’s deployer account. The upgrade involved changing the implementation address to one featuring unverified bytecode, which is not decipherable by humans.

Further suspicious activities were noted 48 minutes after the upgrades commenced. The bridge contract’s proxy address triggered an unverified function on a different address. This led to the transfer of 16 BTC (valued at $983,000), 2.7 million SKO tokens (worth $75,000), and $3.3 million in USDC at 4:44 pm.

The same pattern of dubious upgrades and attempted fund transfers was observed on the Ethereum network shortly after the BNB Smart Chain incident. The deployer made changes to the “artist address” that resulted in two failed withdrawal attempts from the “team address” due to a “not owner” error, indicating potential unauthorized access.

The account responsible for these attempts, identified only by its suffix “05ed,” appeared just days before the incident, with no prior history and several unverified contracts created under its name, suggesting possible malicious intent.

As of now, the Alex team has yet to issue an official statement regarding the breach or confirm the details of the exploit.

This event is part of a troubling trend in May, as demonstrated by other protocols like the decentralized exchange Equalizer and Gnus.ai, which also reported significant losses due to security breaches.