Suspicious $4.3M Withdrawal Follows Alex Protocol Bridge Upgrade on BNB Network: CertiK Reports
Summary:
Blockchain security service CertiK reported a suspicious withdrawal of $4.3 million from the Alex protocol bridge on the BNB network after an unexpected contract upgrade. The Alex protocol, a Bitcoin layer-2 application, facilitates asset transfers from other networks to its own. The "Bridge Endpoint" contract on the BNB Smart Chain was upgraded five times, followed by considerable asset withdrawals. The protocol's deployer account, which conducted the upgrade, might have compromised its own private key. The event is not yet confirmed by the Alex team and follows similar potential exploits earlier in May.
On May 14, blockchain security service CertiK released a report shedding light on the suspicious withdrawal of $4.3 million following an unexpected upgrade in Alex protocol's bridge on the BNB network. Alex protocol is a layer-2 Bitcoin application that provides Bitcoin-powered decentralized finance apps. The protocol's bridges facilitate the transfer of assets from networks like Ethereum and BNB Smart Chain to its own.
Blockchain data validates that the upgrade to the "Bridge Endpoint" contract on the BNB Smart Chain was implemented five times by the Alex deployer account from 3:56 pm UTC. The actions were followed by the extraction of Binance-Pegged Bitcoin (BTC), USD Coin (USDC), and Sugar Kingdom Odyssey (SKO) amounting to nearly $4.3 million from the BNB side of the bridge.
Considered an act of potential private key compromise due to the upgrade undertaken by the protocol’s deployer account, the event has raised concerns in the crypto community. Additionally, the transaction update changed the implementation address to one that concluded in 7058, and the revised implementation comprises unverified bytecode, making the data inaccessible to people.
Around 48 minutes into the upgrade, the proxy address for the bridge contract called on an unapproved function on an address ending in 4848E. The action led to a transfer of 16 BTC (valued $983,000), 2.7 million SKO (worth $75,000), and $3.3 million in USDC stablecoin at 4:44 pm to the address at 484E.
There have also been allegations about the perpetrator trying to extort funds from other networks. Just minutes post the suspicious upgrade on BNB Smart Chain at 5:41 pm, a similar chain of upgrades in Alex was observed on Ethereum. An unverified contract was immediately targeted when the deployer upgraded the “artist address". However, an account’s attempts in withdrawing from the "team address” failed, causing a "not owner" error.
At present, official comments from the Alex team regarding the exploit have not been given.
This event is not the only instance of potential exploit in May. On May 13, it was reported that over 2,000 tokens owned by decentralized exchange Equalizer were surreptitiously drained over a period of few days. Earlier in the month, Gnus.ai was also hit, resulting in losses amounting to $1.27 million. In a related development, CertiK recently discovered a $5M security flaw in the Wormhole bridge on Aptos.
Published At
5/14/2024 11:25:19 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.